AzuraCast CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH AzuraCast CVE published 2026-05-09

CVE-2026-42606

CVE-2026-42606 is a high-severity vulnerability in AzuraCast’s ApplyXForwarded middleware that trusted the client-supplied X-Forwarded-Host header without a trusted-proxy allowlist. An unauthenticated attacker could influence the host used in a forgot-password email, poison the reset URL, and cause the reset token to be sent to an attacker-controlled destination when the victim clicked the link. With the [truncated]

HIGH AzuraCast CVE published 2026-05-09

CVE-2026-42605

CVE-2026-42605 affects AzuraCast before 0.23.6. An authenticated user with media management permissions can abuse unsanitized path input in the Flow.js upload endpoint to write files outside the intended media directory. On the default local filesystem storage backend, that can extend to remote code execution if a PHP file is written into the web root.