Sunshine Security Vulnerabilities and Issues — Sunshine CVE List

Lucene search

LizardbyteSunshine

9 matches found

CVE•added 2024/05/16 7:15 p.m.•46 views

CVE-2024-31226

Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the user's computer. This atta...

4.9CVSS5.2AI score0.00071EPSS

CVE•added 2024/04/05 3:15 p.m.•42 views

CVE-2024-31220

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration web user interface ou...

7.3CVSS7.3AI score0.00182EPSS

CVE•added 2024/09/10 4:15 p.m.•41 views

CVE-2024-45407

Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to the incorrect PIN, but...

6.5CVSS5.9AI score0.00058EPSS

CVE•added 2025/01/20 4:15 p.m.•41 views

CVE-2024-51738

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairing...

8.1CVSS6.7AI score0.0011EPSS

CVE•added 2024/04/08 3:15 p.m.•34 views

CVE-2024-31221

Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the i...

5.9CVSS5.8AI score0.00087EPSS

CVE•added 2025/07/01 2:15 a.m.•12 views

CVE-2025-53095

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can t...

9.6CVSS7.6AI score0.00027EPSS

CVE•added 2025/07/01 2:15 a.m.•10 views

CVE-2025-53096

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If...

6.1CVSS7AI score0.00044EPSS

CVE•added 2025/09/09 6:15 p.m.•6 views

CVE-2025-10198

Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.

7.8CVSS6.3AI score0.00013EPSS

CVE•added 2025/09/09 6:15 p.m.•5 views

CVE-2025-10199

A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.

7.8CVSS6.4AI score0.00015EPSS