11 matches found
CVE-2024-31226
Sunshine (Moonlight’s self-hosted game stream host) for Windows is affected in versions 0.17.0–0.22.2 when running as a service. An attacker could place a file named C:\Program.exe, C:\Program.bat, or C:\Program.cmd on the target machine and trigger hijacked execution flow during service terminat...
CVE-2024-45407
Sunshine is a self-hosted game stream host for Moonlight. The CVE describes a failure in pairing state management where a MITM during pairing causes the attacker’s certificate to be incorrectly persisted before the pairing completes, potentially enabling access to the attacker’s certificate and a...
CVE-2024-51738
Sunshine (Moonlight self-hosted game stream host) prior to 2025.118.151840 is affected. In 0.23.1 and earlier, the pairing protocol does not validate request order, enabling a MITM attack that can hijack a legitimate pairing and may also be used to crash Sunshine. The vulnerability is fixed in 20...
CVE-2024-31220
Sunshine (Moonlight’s self-hosted game stream host) is affected by a path-traversal bug that allows remote reading of arbitrary files without authentication in versions 0.16.0 through 0.17.x. An attacker could trigger the issue by sending an HTTP/S request to the node_modules endpoint if the Suns...
CVE-2024-31221
CVE-2024-31221 affects Sunshine, a self-hosted game stream host for Moonlight. Reports across multiple sources indicate that versions 0.10.0 through 0.22.x are vulnerable: after unpairing all devices via the web UI and then pairing a single device, previously paired devices may be temporarily re-...
CVE-2025-53095
CVE-2025-53095 applies to Sunshine, a self-hosted game stream host for Moonlight. Before version 2025.628.4510, the web UI lacked CSRF protection, allowing an authenticated user to trigger unintended actions by crafting a malicious page. Because Sunshine performs OS command execution by design, a...
CVE-2026-32253
CVE-2026-32253 (Sunshine) : Sunshine, a self-hosted game stream host for Moonlight, had a vulnerability in client-certificate authentication where the OpenSSL verification results were mishandled in src/crypto.cpp. The custom verify callback treated X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, X...
CVE-2025-53096
Summary: CVE-2025-53096 affects Sunshine, a self-hosted game stream host for Moonlight. The issue is a lack of Clickjacking protection in Sunshine’s web UI prior to version 2025.628.4510, allowing an attacker to embed the UI in a malicious page via an invisible or disguised iframe. If a user, whi...
CVE-2025-10198
Sunshine for Windows v2025.122.141614 has CVE-2025-10198 (DLL search-order hijacking) and related Unquoted Service Path issues that could allow a local attacker to load a malicious DLL from user-writable PATH directories or escalate privileges via an unquoted service path. Impact is described as ...
CVE-2025-10199
Sunshine for Windows (v2025.122.141614 and likely earlier) contains two local privilege escalation issues: CVE-2025-10198 (unquoted service path) and CVE-2025-10199 (DLL search-order hijacking). The unquoted service path allows a local attacker to place a malicious executable in a path used by th...
CVE-2025-54081
CVE-2025-54081 affects Sunshine (Moonlight host) due to an unquoted executable path in the Windows service SunshineService prior to 2025.923.33222. If Sunshine is installed in a directory with spaces, the Service Control Manager may misinterpret the path and allow a malicious binary to execute ea...