Home / Vulnerability Intelligence / CVE-2026-42605

CVE-2026-42605 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 9, 2026

AzuraCast - Remote Code Execution

Published: May 9, 2026Updated: May 9, 2026Remote Exploitable

Overview

AzuraCast < 0.23.6 contains a path traversal caused by unsanitized currentDirectory parameter in Flow.js media upload endpoint, letting authenticated users with media management permissions achieve remote code execution by writing files outside media storage.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users with media management permissions can execute arbitrary code remotely by uploading malicious files.

Mitigation

Update to version 0.23.6 or later.

References

https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-42605
Severity: High
CVSS Score: 8.8
Type: path_traversal
Status: new

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H