Vulnerability CVE-2026-25578: Information

Description

Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0.

Severity: MEDIUM (6.1)
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-25578
Published: Feb. 4, 2026
Modified: Feb. 5, 2026
Error type identifier: CWE-79CWE-80

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
navidromesisyphus0.60.0-alt10.60.3-alt1ALT-PU-2026-2195-3407121Fixed
navidromesisyphus_loongarch640.60.0-alt10.60.3-alt1ALT-PU-2026-2282-1-Fixed
navidromep110.60.0-alt10.60.0-alt1ALT-PU-2026-2203-3407122Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6
    https://github.com/navidrome/navidrome/releases/tag/v0.60.0
      https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w
        GHSA-rh3r-8pxm-hg4w
          VKontakte|Telegram|YouTube|Forum|ALT Linux Space|Bugzilla
          Version: v26.2.2
          Back to top