github.com/navidrome/navidrome (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/navidrome/navidrome, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2025-48949 — CVSS 9.8 (critical): Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to…
CVE-2024-41259 — CVSS 9.1 (critical): Use of insecure hashing algorithm in the Gravatar's service in Navidrome v0.52.3 allows attackers to manipulate a user's account…
CVE-2024-47062 — CVSS 8.8 (high): Navidrome is an open source web-based music collection server and streamer. Navidrome automatically adds parameters in the URL to SQL…
CVE-2023-51442 — CVSS 8.6 (high): Navidrome is an open source web-based music collection server and streamer. A security vulnerability has been identified in navidrome's…
CVE-2024-56362 — CVSS 7.1 (high): Navidrome is an open source web-based music collection server and streamer. Navidrome stores the JWT secret in plaintext in the…
CVE-2026-25579 — CVSS 6.5 (medium): Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the…
CVE-2025-27112 — CVSS 6.5 (medium): Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in…
CVE-2025-48948 — CVSS 6.5 (medium): Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0…
CVE-2022-23857 — CVSS 6.5 (medium): model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An…
CVE-2026-25578 — CVSS 6.1 (medium): Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability…
CVE-2024-32963 — CVSS 4.2 (medium): Navidrome is an open source web-based music collection server and streamer. In affected versions of Navidrome are subject to a parameter…