Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
golang
github.com/navidrome/navidrome
v0.58.5
github.com/navidrome/navidrome v0.58.5
Published
Nov 9, 2025
•
Policy
compliance
golang Registry
Developer Trust Score
N/A
Recommended Version:
x.y.z
Latest version with 0 known vulnerabilities that meets your policy.
Compare Versions
Overview
Overview
Versions
50
Versions
50
Vulnerabilities
2
Vulnerabilities
2
Dependencies
0
Dependencies
0
Reset filters
Severity
Critical
(0)
High
(0)
Medium
(2)
Low
(0)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
6.5
CVE-2026-25579
Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0.
affected
Severity
Medium
Published
Feb 5, 2026
6.1
sonatype-2026-000315
github.com/navidrome/navidrome - Cross-Site Scripting (XSS)
affected
Severity
Medium
Published
Feb 4, 2026
