FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Navidrome -- SQL Injection via role parameter

Affected packages
0.55.0 < navidrome < 0.56.0

Details

VuXML ID fc2d2fb8-4c83-11f0-8deb-f8f21e52f724
Discovery 2025-05-29
Entry 2025-06-18

Deluan reports:

This vulnerability arises due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially gaining unauthorized access to the backend database and compromising sensitive user information.

[source]

References

CVE Name CVE-2025-48949
URL https://nvd.nist.gov/vuln/detail/CVE-2025-48949

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.