vulnerability
FreeBSD: VID-95480188-6ebc-11f0-8a78-bf201f293bce (CVE-2025-48948): navidrome -- transcoding permission bypass vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:S/C:N/I:C/A:N) | Aug 1, 2025 | Aug 2, 2025 | Jun 15, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:S/C:N/I:C/A:N)
Published
Aug 1, 2025
Added
Aug 2, 2025
Modified
Jun 15, 2026
Description
Navidrome is an open source web-based music collection server and streamer. A permission verification flaw in versions prior to 0.56.0 allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. In the threat model where administrators are trusted but regular users are not, this vulnerability represents a significant security risk when transcoding is enabled. Version 0.56.0 patches the issue.
Solution
freebsd-upgrade-package-navidrome
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.