CVE-2026-42606

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...

CVE-2026-42606

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...

CVE-2026-42605

AzuraCast (prior to 0.23.6) has a path traversal remote code execution flaw in the media upload flow. The currentDirectory parameter in FlowUploadAction is not sanitized, allowing an authenticated user with media permissions to place files outside the station media directory when using local file...

CVE-2026-42605

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint POST /api/station/stationid/files/upload is not sanitized for path traversal sequences. When combined with a local filesystem...

CVE-2026-42606 AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the cleanUpString function. An attacker can execute arbitrary code, disclose internal API keys, or disrupt service operation by supplying crafted input to the remote relay password field, which is processed...

EUVD-2023-1373

Malicious code in bioql PyPI...

CVE-2023-2191

Cross-site Scripting XSS - Stored in GitHub repository azuracast/azuracast prior to 0.18...

Rate Limit Bypass

Azuracast is vulnerable to Rate Limit Bypass. The vulnerability arises because the existing rate limiting functionality trusts the arbitrary user input coming from the X-Forwarded-For and Client IP header. The vulnerability could allow an attacker to brute force a user password...

Rate-limit Bypass

azuracast/azuracast is vulnerable to rate-limit Bypass. The vulnerability exists due to a lack of user request rate limiting when the request headers include random values, which allows an attacker to bypass the login security mechanism...

GHSA-4M7V-WR6V-2MW5 AzuraCast missing brute force prevention

The request rate limiting feature on the login page of AzuraCast before version 0.18.3 can be bypassed, which could allow an attacker to brute force login credentials...

AzuraCast missing brute force prevention

The request rate limiting feature on the login page of AzuraCast before version 0.18.3 can be bypassed, which could allow an attacker to brute force login credentials...

CVE-2023-2531

Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3...

Input validation

Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3...

CVE-2023-2531 Improper Restriction of Excessive Authentication Attempts in azuracast/azuracast

Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3...

CVE-2023-2531

The CVE-2023-2531 entry concerns AzuraCast (azuracast/azuracast) before version 0.18.3, where the login rate-limiting/anti-brute-force control could be bypassed, enabling credential brute-forcing. Multiple connected sources corroborate that older AzuraCast releases lacked effective restriction on...

Cross-Site Scripting (XSS)

azuracast/azuracast, is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to a lack of sanitization in the getDisplayName, parameter of main.phtml which allows an attacker to inject and execute arbitrary JavaScript into the browser...

Stored Cross-site Scripting (XSS)

azuracast/azuracast is vulnerable to Stored Cross-site Scripting XSS. The vulnerability exists in main.phtml because the user display name in the menu is not properly escaped before being rendered, allowing an attacker to inject and execute malicious JavaScript through the display name...

Reflected XSS in Path Traversal detector

Description Azuracast has a feature that block all Path Traversal tentative good job implementing it. But when azuracast block an attack reflect the path without sanitize the output PathTraversalDetected.php. It is possibile to do attack like Reflected XSS or HTML injection. Step to reproduce 1. ...

GHSA-Q55C-HMPF-6H2G AzuraCast/AzuraCast vulnerable to cross-site scripting

AzuraCast/AzuraCast prior to version 0.18.0 is vulnerable to stored cross-site scripting. An issue was identified where a user who already had an AzuraCast account could update their display name to inject malicious JavaScript into the header menu of the site. In a majority of cases, this menu is...