Security Deep Dive
navidrome
Security posture and CVE patch evidence from tracked releases.
Open CVEs reported against v0.61.2.
See the CVE patch history below for context.
Versions by Severity
CVEs are attributed to tracked releases published before the patch release.
| Version | Published | C | H | M | L | KEV | Notes |
|---|---|---|---|---|---|---|---|
| v0.61.2 | 2026-04-12 | — | — | — | — | — |
Latest
|
| v0.61.1 | 2026-04-05 | — | — | — | — | — |
—
|
| v0.61.0 | 2026-03-31 | — | — | — | — | — |
—
|
| v0.60.3 | 2026-02-10 | — | — | — | — | — |
—
|
| v0.60.2 | 2026-02-07 | — | — | — | — | — |
—
|
| v0.60.0 | 2026-02-03 | — | — | — | — | — |
Trust Signals — 2 of 9 Present
Evidence already collected from releases and repository metadata.
Security Score
A composite score aggregating Scorecard performance, CVE patch history, OpenSSF badge tier, and dependency vulnerability exposure. Score ≥ 7.0 is healthy; < 4.0 warrants attention.
epss
0.25 / 0.5
No EPSS data
freshness
1.00 / 1.0
4d stale
scorecard
1.92 / 4.0
Score 4.8/10
cve health
0.00 / 2.5
Open CVEs detected
patch speed
0.50 / 0.5
0d avg
kev exposure
1.50 / 1.5
No KEV exposure
supply chain risk
0.00 / 10.0
Risk 0.0/100
Score breakdown
schema v2Vulnerability posture
vulnerability posture
0.0
25%
Release responsiveness
release responsiveness
10.0
5%
Dependency exposure
dependency exposure
10.0
10%
Provenance trust
provenance trust
4.8
40%
Maintainer health
maintainer health
10.0
10%
Operational risk
operational risk
8.5
10%
How is this calculated?
The six dimensions group the legacy score signals into weighted categories: direct vulnerability status, patch responsiveness, dependency exposure, provenance checks, maintainer activity, and exploitability risk. The flat component values above remain available for compatibility.
Scorecard
Scorecard 4.8/10OpenSSF Scorecard evaluates supply-chain security practices automatically. Score ≥ 6 is passing; ≥ 8 is excellent.
| Check | Score | Reason |
|---|---|---|
| Maintained | 10 | 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 |
| Code-Review | 1 | Found 5/30 approved changesets -- score normalized to 1 |
| Dangerous-Workflow | 10 | no dangerous workflow patterns detected |
| CII-Best-Practices | 0 | no effort to earn an OpenSSF best practices badge detected |
| Token-Permissions | 0 | detected GitHub workflow tokens with excessive permissions |
| Binary-Artifacts | 10 | no binaries found in the repo |
| Security-Policy | 0 | security policy file not detected |
| License | 10 | license file detected |
| Fuzzing | 0 | project is not fuzzed |
| Branch-Protection | -1 | internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md |
| Signed-Releases | 0 | Project has not signed or included provenance with any releases. |
| SAST | 7 | SAST tool is not run on all commits -- score normalized to 7 |
| Packaging | 10 | packaging workflow detected |
| Pinned-Dependencies | 1 | dependency not pinned by hash detected -- score normalized to 1 |
OpenSSF Badge
Badge indicates adherence to open-source best practices.
CVE Patch History
Median patch time: 0 daysTracks CVEs that were addressed in tagged releases. Shorter gap between disclosure and patch = faster response. EPSS = predicted probability of exploitation in next 30 days (FIRST.org); colored at ≥90%ile and ≥50%ile.
CVEs Patched by Year
| CVE | Severity | EPSS | Disclosed | Fixed in | Days to fix | vs Ecosystem Median | KEV |
|---|---|---|---|---|---|---|---|
| GHSA-hrr4-3wgr-68x3 | Critical | — | — | v0.60.0 | — | — | — |
| GHSA-rh3r-8pxm-hg4w | unknown | — | — | v0.60.0 | — | — | — |
| GO-2026-4411 | unknown | — | — | v0.60.0 | — | — | — |
| GO-2026-4413 | unknown | — | — | v0.60.0 | — | — | — |
KEV = CISA Known Exploited Vulnerabilities catalog — actively exploited in the wild.