subsonic CVE Vulnerabilities & Metrics

Focus on subsonic vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About subsonic Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with subsonic. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total subsonic CVEs: 12
Earliest CVE date: 07 Jun 2017, 19:29 UTC
Latest CVE date: 19 Dec 2018, 11:29 UTC

Latest CVE reference: CVE-2018-20228

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 0

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical subsonic CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 4.92

Max CVSS: 6.8

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	0
4.0-6.9	12
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS subsonic CVEs

These are the five CVEs with the highest CVSS scores for subsonic, sorted by severity first and recency.

CVE-2017-9414 subsonic Published on 05 Feb 2018, 16:29 UTC (CVSS: 6.8)
Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view.
CVE-2017-9413 subsonic Published on 25 Jul 2017, 18:29 UTC (CVSS: 6.8)
Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be ex...
CVE-2018-20228 subsonic Published on 19 Dec 2018, 11:29 UTC (CVSS: 6.0)
Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.
CVE-2017-9415 subsonic Published on 21 Jul 2017, 14:29 UTC (CVSS: 5.1)
Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.
CVE-2018-9282 subsonic Published on 21 Sep 2018, 16:29 UTC (CVSS: 4.3)
An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user.

All CVEs for subsonic

CVE-2018-20228 subsonic vulnerability CVSS: 6.0 19 Dec 2018, 11:29 UTC

Subsonic V6.1.5 allows internetRadioSettings.view streamUrl CSRF, with resultant SSRF.

CVE-2018-9282 subsonic vulnerability CVSS: 4.3 21 Sep 2018, 16:29 UTC

An XSS issue was discovered in Subsonic Media Server 6.1.1. The podcast subscription form is affected by a stored XSS vulnerability in the add parameter to podcastReceiverAdmin.view; no administrator access is required. By injecting a JavaScript payload, this flaw could be used to manipulate a user's session, or elevate privileges by targeting an administrative user.

CVE-2018-14691 subsonic vulnerability CVSS: 4.3 21 Sep 2018, 16:29 UTC

An issue was discovered in Subsonic 6.1.1. The music tags feature is affected by three stored cross-site scripting vulnerabilities in the c0-param2, c0-param3, and c0-param4 parameters to dwr/call/plaincall/tagService.setTags.dwr that could be used to steal session information of a victim.

CVE-2018-14690 subsonic vulnerability CVSS: 4.3 21 Sep 2018, 16:29 UTC

An issue was discovered in Subsonic 6.1.1. The general settings are affected by two stored cross-site scripting vulnerabilities in the title and subtitle parameters to generalSettings.view that could be used to steal session information of a victim.

CVE-2018-14689 subsonic vulnerability CVSS: 4.3 21 Sep 2018, 16:29 UTC

An issue was discovered in Subsonic 6.1.1. The transcoding settings are affected by five stored cross-site scripting vulnerabilities in the name[x], sourceformats[x], targetFormat[x], step1[x], and step2[x] parameters (where x is an integer) to transcodingSettings.view that could be used to steal session information of a victim.

CVE-2018-14688 subsonic vulnerability CVSS: 4.3 21 Sep 2018, 16:29 UTC

An issue was discovered in Subsonic 6.1.1. The radio settings are affected by three stored cross-site scripting vulnerabilities in the name[x], streamUrl[x], homepageUrl[x] parameters (where x is an integer) to internetRadioSettings.view that could be used to steal session information of a victim.

CVE-2018-15898 subsonic vulnerability CVSS: 4.3 11 Sep 2018, 21:29 UTC

The Subsonic Music Streamer application 4.4 for Android has Improper Certificate Validation of the Subsonic server certificate, which might allow man-in-the-middle attackers to obtain interaction data.

CVE-2017-9414 subsonic vulnerability CVSS: 6.8 05 Feb 2018, 16:29 UTC

Cross-site request forgery (CSRF) vulnerability in the Subscribe to Podcast feature in Subsonic 6.1.1 allows remote attackers to hijack the authentication of unspecified victims for requests that conduct cross-site scripting (XSS) attacks or possibly have unspecified other impact via the name parameter to playerSettings.view.

CVE-2018-6014 subsonic vulnerability CVSS: 4.3 23 Jan 2018, 00:29 UTC

Subsonic v6.1.3 has an insecure allow-access-from domain="*" Flash cross-domain policy that allows an attacker to retrieve sensitive user information via a read request. To exploit this issue, an attacker must convince the user to visit a web site loaded with a SWF file created specifically to steal user data.

CVE-2017-9413 subsonic vulnerability CVSS: 6.8 25 Jul 2017, 18:29 UTC

Multiple cross-site request forgery (CSRF) vulnerabilities in the Podcast feature in Subsonic 6.1.1 allow remote attackers to hijack the authentication of users for requests that (1) subscribe to a podcast via the add parameter to podcastReceiverAdmin.view or (2) update Internet Radio Settings via the urlRedirectCustomUrl parameter to networkSettings.view. NOTE: These vulnerabilities can be exploited to conduct server-side request forgery (SSRF) attacks.

CVE-2017-9415 subsonic vulnerability CVSS: 5.1 21 Jul 2017, 14:29 UTC

Cross-site request forgery (CSRF) vulnerability in subsonic 6.1.1 allows remote attackers with knowledge of the target username to hijack the authentication of users for requests that change passwords via a crafted request to userSettings.view.

CVE-2017-9355 subsonic vulnerability CVSS: 4.3 07 Jun 2017, 19:29 UTC

XML external entity (XXE) vulnerability in the import playlist feature in Subsonic 6.1.1 might allow remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted XSPF playlist file.