Navidrome, an open‑source web‑based music server, has a client‑side cross‑site scripting flaw that lets a malicious author insert arbitrary JavaScript into a song’s comment metadata. Because the application displays this metadata unescaped in the browser, an attacker can run script in the victim’s session and harvest authentication tokens or other credentials stored in the client’s cookies or local storage. The weakness is a classic reflected XSS (CWE‑79/80) that affects confidentiality by enabling credential theft and potentially session hijacking. Based on the description, it is inferred that the attack vector requires an attacker to first add or edit a comment in a song’s metadata using the UI, a capability normally limited to authenticated users.

All instances of the Navidrome server released before version 0.60.0 are prone to this issue. The vendor’s advisory lists the product as navidrome:navidrome and the fix is incorporated in the 0.60.0 release. The vulnerability is present in the front‑end JavaScript code that renders song metadata comments, so every deployment that supplies unescaped comments is affected regardless of the underlying operating system or hosting environment.

The flaw receives a 6.1 CVSS score, indicating a moderate risk when an exploit is successful. The EPSS ranking is below 1 %, showing that, at the time of assessment, the probability of active exploitation was low. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to the UI used to add or edit song comments, which is typically restricted to authenticated users. Once an attacker can inject a comment, however, the client‑side script runs with the victim’s privileges and can exfiltrate credentials, offering high damage potential for the compromised account.