4 matches found
CVE-2026-42606 AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via improper sanitization in the cleanUpString function. An attacker can execute arbitrary commands on the server by injecting specially crafted Liquidsoap string interpolation sequences into user-controllable...
AzuraCast Access Control Error Vulnerability
AzuraCast is a simple self-hosted webcast management suite from AzuraCast. An Access Control Error vulnerability exists in versions of AzuraCast prior to 0.18.3 that stems from an improper restriction of excessive authentication attempts. An attacker could exploit the vulnerability to brute force...
AzuraCast Cross-Site Scripting Vulnerability
AzuraCast is a simple self-hosted webcast management suite from AzuraCast. A cross-site scripting vulnerability exists in AzuraCast version 0.18 and earlier, which stems from the lack of effective filtering and escaping of user-supplied data in the name field on the Edit Profile page, and can be...