CVE-2026-42605 Unknown Vendor CVE debrief

Who should care

AzuraCast administrators and operators, especially those running versions earlier than 0.23.6 with local filesystem storage and users who have media management permissions.

Technical summary

The issue is a path traversal flaw in the currentDirectory request parameter used by POST /api/station/{station_id}/files/upload. Because the parameter is not sanitized for traversal sequences, the upload flow can be redirected outside the station media storage directory. The GitHub advisory indicates that, when the local filesystem backend is used, this can be leveraged to place arbitrary files elsewhere on disk, including a PHP webshell in the web root, resulting in RCE.

Defensive priority

High. Treat as urgent for any exposed or actively used AzuraCast deployment running a vulnerable version, especially if authenticated media upload is available.

Recommended defensive actions

• Upgrade AzuraCast to version 0.23.6 or later.
• Review whether the instance uses the default local filesystem storage backend and restrict access if possible until patched.
• Limit who can obtain media management permissions; apply least privilege to authenticated accounts.
• Check the web root and upload-related paths for unexpected PHP files or other unauthorized file writes.
• Review application and web server logs for suspicious upload activity around the affected endpoint.
• If compromise is suspected, rotate credentials and validate the integrity of the AzuraCast installation and hosted media content.

Evidence notes

The description is supported by the NVD record and GitHub Security Advisory GHSA-vp2f-cqqp-478j, with patch confirmation in the AzuraCast 0.23.6 release and the referenced fixing commit. The record identifies CWE-22 and a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Official resources