{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25578", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-03T01:02:46.714Z", "datePublished": "2026-02-04T21:58:42.727Z", "dateUpdated": "2026-02-05T14:31:27.664Z"}, "containers": {"cna": {"title": "Navidrome is vulnerable to XSS via comment from song metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w"}, {"name": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6", "tags": ["x_refsource_MISC"], "url": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6"}, {"name": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0"}], "affected": [{"vendor": "navidrome", "product": "navidrome", "versions": [{"version": "< 0.60.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:58:42.727Z"}, "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0."}], "source": {"advisory": "GHSA-rh3r-8pxm-hg4w", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:20:04.926776Z", "id": "CVE-2026-25578", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:31:27.664Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25578", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:20:04.926776Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:20:05.728Z"}}], "cna": {"title": "Navidrome is vulnerable to XSS via comment from song metadata", "source": {"advisory": "GHSA-rh3r-8pxm-hg4w", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "navidrome", "product": "navidrome", "versions": [{"status": "affected", "version": "< 0.60.0"}]}], "references": [{"url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w", "name": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6", "name": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0", "name": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-04T21:58:42.727Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25578", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:31:27.664Z", "dateReserved": "2026-02-03T01:02:46.714Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-04T21:58:42.727Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:navidrome:navidrome:*:*:*:*:*:*:*:*", "matchCriteriaId": "505C09F4-61BF-49C6-A089-5E2E8577E01B", "versionEndExcluding": "0.60.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0."}, {"lang": "es", "value": "Navidrome es un servidor y streamer de colecci\u00f3n de m\u00fasica basado en web de c\u00f3digo abierto. Antes de la versi\u00f3n 0.60.0, una vulnerabilidad de cross-site scripting en el frontend permite a un atacante malicioso inyectar c\u00f3digo a trav\u00e9s de los metadatos de comentarios de una canci\u00f3n para exfiltrar credenciales de usuario. Este problema ha sido parcheado en la versi\u00f3n 0.60.0."}], "id": "CVE-2026-25578", "lastModified": "2026-02-18T19:03:44.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-04T22:16:01.107", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/navidrome/navidrome/releases/tag/v0.60.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T13:43:33.281496+00:00", "value": {"mitigation_remediation": ["Upgrade the Navidrome server to version\u202f0.60.0 or newer, which removes the unsafe comment rendering path.", "Restart the service so the updated binaries and configurations take effect.", "If an immediate upgrade is not possible, disable or filter the comment input field to strip script tags until the patch can be applied."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting that enables credential exfiltration"}, "threat_synthesis": {"affected_systems": "All instances of the Navidrome server released before version\u202f0.60.0 are prone to this issue. The vendor\u2019s advisory lists the product as navidrome:navidrome and the fix is incorporated in the 0.60.0 release. The vulnerability is present in the front\u2011end JavaScript code that renders song metadata comments, so every deployment that supplies unescaped comments is affected regardless of the underlying operating system or hosting environment.", "description_and_impact": "Navidrome, an open\u2011source web\u2011based music server, has a client\u2011side cross\u2011site scripting flaw that lets a malicious author insert arbitrary JavaScript into a song\u2019s comment metadata. Because the application displays this metadata unescaped in the browser, an attacker can run script in the victim\u2019s session and harvest authentication tokens or other credentials stored in the client\u2019s cookies or local storage. The weakness is a classic reflected XSS (CWE\u201179/80) that affects confidentiality by enabling credential theft and potentially session hijacking. Based on the description, it is inferred that the attack vector requires an attacker to first add or edit a comment in a song\u2019s metadata using the UI, a capability normally limited to authenticated users.", "risk_and_exploitability": "The flaw receives a 6.1 CVSS score, indicating a moderate risk when an exploit is successful. The EPSS ranking is below 1\u202f%, showing that, at the time of assessment, the probability of active exploitation was low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the UI used to add or edit song comments, which is typically restricted to authenticated users. Once an attacker can inject a comment, however, the client\u2011side script runs with the victim\u2019s privileges and can exfiltrate credentials, offering high damage potential for the compromised account."}}}}, "created": "2026-02-05T11:40:06.958264+00:00", "updated": "2026-04-18T13:45:45.681458+00:00", "vendors": ["navidrome", "navidrome$PRODUCT$navidrome"]}