CVE-2026-25578

low-risk
Published 2026-02-04

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.

Do I need to act?

-
0.01% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Affected Vendors

Navidrome

References (3)

Patch https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5...
Product https://github.com/navidrome/navidrome/releases/tag/v0.60.0
Exploit https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w
25
/ 100
low-risk
Severity 20/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal