Sunshine
by Lizardbyte
Source repositories
CVEs (12)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32253 | Cri | 0.57 | 9.8 | 0.00 | May 22, 2026 | Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats… | ||
| CVE-2025-52386 | Med | 0.35 | 5.4 | 0.00 | Aug 13, 2025 | CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file | ||
| CVE-2025-54081 | 0.00 | — | 0.00 | Sep 23, 2025 | Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM)… | |||
| CVE-2025-10199 | 0.00 | — | 0.00 | Sep 9, 2025 | A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path. | |||
| CVE-2025-10198 | 0.00 | — | 0.00 | Sep 9, 2025 | Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories. | |||
| CVE-2025-53095 | 0.00 | — | 0.00 | Jul 1, 2025 | Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an… | |||
| CVE-2025-53096 | 0.00 | — | 0.00 | Jul 1, 2025 | Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or… | |||
| CVE-2024-51738 | 0.00 | — | 0.01 | Jan 20, 2025 | Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking… | |||
| CVE-2024-45407 | 0.00 | — | 0.00 | Sep 10, 2024 | Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to… | |||
| CVE-2024-31226 | 0.00 | — | 0.00 | May 16, 2024 | Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the… | |||
| CVE-2024-31221 | 0.00 | — | 0.01 | Apr 8, 2024 | Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0… | |||
| CVE-2024-31220 | 0.00 | — | 0.00 | Apr 5, 2024 | Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration… |
- risk 0.57cvss 9.8epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. In versions prior to 2026.516.143833, the client-certificate authentication can be bypassed because of how OpenSSL verification results are handled. In src/crypto.cpp, the custom verify callback treats…
- risk 0.35cvss 5.4epss 0.00
CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file
- CVE-2025-54081Sep 23, 2025risk 0.00cvss —epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.923.33222, the Windows service SunshineService is installed with an unquoted executable path. If Sunshine is installed in a directory whose name includes a space, the Service Control Manager (SCM)…
- CVE-2025-10199Sep 9, 2025risk 0.00cvss —epss 0.00
A local privilege escalation vulnerability exists in Sunshine for Windows (version v2025.122.141614 and likely prior versions) due to an unquoted service path.
- CVE-2025-10198Sep 9, 2025risk 0.00cvss —epss 0.00
Sunshine for Windows, version v2025.122.141614, contains a DLL search-order hijacking vulnerability, allowing attackers to insert a malicious DLL in user-writeable PATH directories.
- CVE-2025-53095Jul 1, 2025risk 0.00cvss —epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an…
- CVE-2025-53096Jul 1, 2025risk 0.00cvss —epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or…
- CVE-2024-51738Jan 20, 2025risk 0.00cvss —epss 0.01
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking…
- CVE-2024-45407Sep 10, 2024risk 0.00cvss —epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. Clients that experience a MITM attack during the pairing process may inadvertantly allow access to an unintended client rather than failing authentication due to a PIN validation error. The pairing attempt fails due to…
- CVE-2024-31226May 16, 2024risk 0.00cvss —epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. Users who ran Sunshine versions 0.17.0 through 0.22.2 as a service on Windows may be impacted when terminating the service if an attacked placed a file named `C:\Program.exe`, `C:\Program.bat`, or `C:\Program.cmd` on the…
- CVE-2024-31221Apr 8, 2024risk 0.00cvss —epss 0.01
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0…
- CVE-2024-31220Apr 5, 2024risk 0.00cvss —epss 0.00
Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.16.0 and prior to version 0.18.0, an attacker may be able to remotely read arbitrary files without authentication due to a path traversal vulnerability. Users who exposed the Sunshine configuration…