cvedb.io
CVE-2022-23857
MEDIUM · CVSS 6.5
EPSS exploitation probability: 0%
Published 2022-01-24T02:15:06.877 · Last modified 2026-06-17T04:30:53.800

Summary

model/criteria/criteria.go in Navidrome before 0.47.5 is vulnerable to SQL injection attacks when processing crafted Smart Playlists. An authenticated user could abuse this to extract arbitrary data from the database, including the user table (which contains sensitive information such as the users' encrypted passwords).

Affected products

navidrome — navidrome

Does this affect you?

Add your gear to cvedb and we'll alert you only when navidrome ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.