diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 585c8d682e4a..db00fbdbffcc 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,34 @@
+  <vuln vid="5ca2cafa-1f24-11f0-ab07-f8f21e52f724">
+    <topic>Navidrome -- Authentication bypass in Subsonic API</topic>
+    <affects>
+      <package>
+	<name>navidrome</name>
+	<range><lt>0.54.5</lt></range>
+	<range><gt>0.52.0</gt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Deluan reports:</p>
+	<blockquote cite="https://github.com/navidrome/navidrome/security/advisories/GHSA-c3p4-vm8f-386p">
+	  <p>In certain Subsonic API endpoints, authentication can be
+	bypassed by using a non-existent username combined with an
+	empty (salted) password hash. This allows read-only access to
+	the server’s resources, though attempts at write operations
+	fail with a “permission denied” error.</p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <cvename>CVE-2025-27112</cvename>
+      <url>https://nvd.nist.gov/vuln/detail/CVE-2025-27112</url>
+    </references>
+    <dates>
+      <discovery>2025-02-25</discovery>
+      <entry>2025-04-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="06269ae8-1e0d-11f0-ad0b-b42e991fc52e">
     <topic>Erlang -- Erlang/OTP SSH Vulnerable to Pre-Authentication RCE</topic>
     <affects>