CVE-2026-42606

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...

EUVD-2026-28936

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem...

CVE-2026-42605

AzuraCast (prior to 0.23.6) has a path traversal remote code execution flaw in the media upload flow. The currentDirectory parameter in FlowUploadAction is not sanitized, allowing an authenticated user with media permissions to place files outside the station media directory when using local file...

CVE-2026-42605

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem...

CVE-2026-42605 AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem...

CVE-2026-42606

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...

AzuraCast 路径遍历漏洞

AzuraCast is a simple, self-hosted network broadcasting management suite provided by AzuraCast Inc. Versions of AzuraCast prior to 0.23.6 contained a path traversal vulnerability. This vulnerability stemmed from the currentDirectory request parameter in the Flow.js media upload endpoint, which...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the cleanUpString function. An attacker can execute arbitrary code, disclose internal API keys, or disrupt service operation by supplying crafted input to the remote relay password field, which is processed...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the PlayAction process. An attacker can access and download unauthorized media files by sending authenticated requests to the /api/station/stationid/file/id/play endpoint without proper station-level permission...

EUVD-2025-28080

Malicious code in bioql PyPI...

SUSE CVE-2025-47282

Gardener External DNS Management is an environment to manage external DNS entries for a kubernetes cluster. A security vulnerability was discovered in Gardener's External DNS Management prior to version 0.23.6 that could allow a user with administrative privileges for a Gardener project or a user...

PT-2020-5853 · P11 Kit +7 · P11-Kit +7

Name of the Vulnerable Software and Affected Versions: p11-kit versions 0.23.6 through 0.23.21 Description: A heap-based buffer overflow has been discovered in the RPC protocol used by p11-kit server/remote commands and the client library. When the remote entity supplies a serialized byte array i...

Downloads Resources over HTTP

Overview Affected versions of nw insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the...