Alexgustafsson

**Name of the Vulnerable Software and Affected Versions** Navidrome versions prior to 0.60.0 **Description** Navidrome is a web-based music collection server and streamer. A cross-site scripting issue exists in the frontend that allows a malicious attacker to inject code through the comment metadata of a song. This could potentially lead to the exfiltration of user credentials. The vulnerable component is the frontend application. The attack vector involves manipulating the `comment` metadata associated with a song. **Recommendations** Update to version 0.60.0 or later.