[HIGH] AzuraCast Vulnerable to Liquidsoap Code Injection via Incomplete cleanUpString-to-toRawString Migration in Remote Relay Password Field

PKSA-wgbn-7zcq-1tdt GHSA-q4ph-8x8g-95f8

Affected version: <=0.23.5

Reported by:
GitHub

[MEDIUM] AzuraCast has Missing Permissions Check on Media File Download, Allowing Cross-Station Data Exfiltration

PKSA-6p4x-2pyn-gcq9 GHSA-qff7-q5fm-8p76

Affected version: <=0.23.5

Reported by:
GitHub

[MEDIUM] AzuraCast's Missing RequireInternalConnection on Liquidsoap API Allows Low-Privilege Metadata Injection and Broadcast Disruption

PKSA-x7rb-qk7x-brrk GHSA-4fm3-ggg2-c6qx

Affected version: <=0.23.5

Reported by:
GitHub

[HIGH] AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass

PKSA-8467-6xvh-v57b CVE-2026-42606 GHSA-gv7r-3mr9-h5x8

Affected version: <=0.23.5

Reported by:
GitHub

[HIGH] AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload

PKSA-nx6v-99r9-ndh5 CVE-2026-42605 GHSA-vp2f-cqqp-478j

Affected version: <=0.23.5

Reported by:
GitHub

[HIGH] AzuraCast: RCE via Liquidsoap string interpolation injection in station metadata and playlist URLs

PKSA-p9gy-8v98-hsfy GHSA-93fx-5qgc-wr38

Affected version: <=0.23.3

Reported by:
GitHub

[LOW] AzuraCast Vulnerable to Pre-Auth File Deletion & Admin RCE

PKSA-9fw1-5251-nmm8 CVE-2025-67737 GHSA-9449-rphm-mjqr

Affected version: <=0.23.1

Reported by:
GitHub

[CRITICAL] AzuraCast missing brute force prevention

PKSA-fdpp-x827-jm1y CVE-2023-2531 GHSA-4m7v-wr6v-2mw5

Affected version: <0.18.3

Reported by:
GitHub

[LOW] AzuraCast/AzuraCast vulnerable to cross-site scripting

PKSA-64k6-nw81-h316 CVE-2023-2191 GHSA-q55c-hmpf-6h2g

Affected version: <0.18.0

Reported by:
GitHub