Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
5 vulnerabilities by azuracast
CVE-2026-42605 (GCVE-0-2026-42605)
Vulnerability from cvelistv5 – Published: 2026-05-09 19:44 – Updated: 2026-05-09 19:44
VLAI?
Title
AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
Summary
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "AzuraCast",
"vendor": "AzuraCast",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station\u0027s media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T19:44:05.893Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j"
},
{
"name": "https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d"
},
{
"name": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
}
],
"source": {
"advisory": "GHSA-vp2f-cqqp-478j",
"discovery": "UNKNOWN"
},
"title": "AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42605",
"datePublished": "2026-05-09T19:44:05.893Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-09T19:44:05.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42606 (GCVE-0-2026-42606)
Vulnerability from cvelistv5 – Published: 2026-05-09 19:43 – Updated: 2026-05-09 19:43
VLAI?
Title
AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass
Summary
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
Severity ?
8.1 (High)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "AzuraCast",
"vendor": "AzuraCast",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T19:43:35.866Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
},
{
"name": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
},
{
"name": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
}
],
"source": {
"advisory": "GHSA-gv7r-3mr9-h5x8",
"discovery": "UNKNOWN"
},
"title": "AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42606",
"datePublished": "2026-05-09T19:43:35.866Z",
"dateReserved": "2026-04-29T00:31:15.725Z",
"dateUpdated": "2026-05-09T19:43:35.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-67737 (GCVE-0-2025-67737)
Vulnerability from cvelistv5 – Published: 2025-12-12 06:53 – Updated: 2025-12-12 20:39
VLAI?
Title
AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE
Summary
AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67737",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:39:27.203316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:39:38.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "AzuraCast",
"vendor": "AzuraCast",
"versions": [
{
"status": "affected",
"version": "\u003c 0.23.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station\u0027s operations can craft a custom HTTP request that would affect the contents of a station\u0027s database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T06:53:15.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-9449-rphm-mjqr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-9449-rphm-mjqr"
},
{
"name": "https://github.com/AzuraCast/AzuraCast/commit/34620dbad93f6cd8e209a4220e3e53c7c5fea844",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/AzuraCast/AzuraCast/commit/34620dbad93f6cd8e209a4220e3e53c7c5fea844"
}
],
"source": {
"advisory": "GHSA-9449-rphm-mjqr",
"discovery": "UNKNOWN"
},
"title": "AzuraCast Vulnerable to Pre-Auth File Deletion \u0026 Admin RCE"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67737",
"datePublished": "2025-12-12T06:53:15.213Z",
"dateReserved": "2025-12-11T00:45:45.791Z",
"dateUpdated": "2025-12-12T20:39:38.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-2531 (GCVE-0-2023-2531)
Vulnerability from cvelistv5 – Published: 2023-05-05 00:00 – Updated: 2025-02-12 16:30
VLAI?
Title
Improper Restriction of Excessive Authentication Attempts in azuracast/azuracast
Summary
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
Severity ?
7.3 (High)
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azuracast | azuracast/azuracast |
Affected:
unspecified , < 0.18.3
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:09.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/20463eb2-0f9d-4ea3-a2c8-93f80e7aca02"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/azuracast/azuracast/commit/bdb23594ad3e0c47c8568ce028a7c244a406cf9d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2531",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T17:14:34.455400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:30:22.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "azuracast/azuracast",
"vendor": "azuracast",
"versions": [
{
"lessThan": "0.18.3",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-05T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/20463eb2-0f9d-4ea3-a2c8-93f80e7aca02"
},
{
"url": "https://github.com/azuracast/azuracast/commit/bdb23594ad3e0c47c8568ce028a7c244a406cf9d"
}
],
"source": {
"advisory": "20463eb2-0f9d-4ea3-a2c8-93f80e7aca02",
"discovery": "EXTERNAL"
},
"title": "Improper Restriction of Excessive Authentication Attempts in azuracast/azuracast"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-2531",
"datePublished": "2023-05-05T00:00:00.000Z",
"dateReserved": "2023-05-05T00:00:00.000Z",
"dateUpdated": "2025-02-12T16:30:22.503Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-2191 (GCVE-0-2023-2191)
Vulnerability from cvelistv5 – Published: 2023-04-20 00:00 – Updated: 2025-02-05 14:24
VLAI?
Title
Cross-site Scripting (XSS) - Stored in azuracast/azuracast
Summary
Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| azuracast | azuracast/azuracast |
Affected:
unspecified , < 0.18
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:12:20.675Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://huntr.dev/bounties/0814f5f9-8b58-40e5-b08c-7c488947cf31"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/azuracast/azuracast/commit/24276cb4166b2057de73569ec33046a80a8bb437"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2191",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-05T14:24:21.258710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-05T14:24:44.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "azuracast/azuracast",
"vendor": "azuracast",
"versions": [
{
"lessThan": "0.18",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T00:00:00.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"url": "https://huntr.dev/bounties/0814f5f9-8b58-40e5-b08c-7c488947cf31"
},
{
"url": "https://github.com/azuracast/azuracast/commit/24276cb4166b2057de73569ec33046a80a8bb437"
}
],
"source": {
"advisory": "0814f5f9-8b58-40e5-b08c-7c488947cf31",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Stored in azuracast/azuracast"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2023-2191",
"datePublished": "2023-04-20T00:00:00.000Z",
"dateReserved": "2023-04-20T00:00:00.000Z",
"dateUpdated": "2025-02-05T14:24:44.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}