Azuracast
by AzuraCast
Source repositories
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42605 | Hig | 0.50 | 8.8 | 0.01 | May 9, 2026 | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with… | ||
| CVE-2026-42606 | Hig | 0.46 | 8.1 | 0.00 | May 9, 2026 | AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password… | ||
| CVE-2025-67737 | 0.00 | — | 0.00 | Dec 12, 2025 | AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific… | |||
| CVE-2023-2531 | 0.00 | — | 0.01 | May 5, 2023 | Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3. | |||
| CVE-2023-2191 | 0.00 | — | 0.01 | Apr 20, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18. |
- risk 0.50cvss 8.8epss 0.01
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with…
- risk 0.46cvss 8.1epss 0.00
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password…
- CVE-2025-67737Dec 12, 2025risk 0.00cvss —epss 0.00
AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific…
- CVE-2023-2531May 5, 2023risk 0.00cvss —epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
- CVE-2023-2191Apr 20, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.