Description
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
Published: 2026-05-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from insufficient sanitization of the currentDirectory parameter in AzuraCast’s media upload endpoint, a weakness that falls under CWE‑22 (Path Traversal). This allows an attacker to embed path‑traversal sequences and write files outside the intended media directory, including PHP web shells that grant remote code execution. An attacker who gains execution privileges has full control over the affected server.

Affected Systems

AzuraCast installations running any version prior to 0.23.6 are vulnerable when using the default local filesystem storage backend. The attack requires a user with media‑management permissions to upload a file with a specially crafted currentDirectory value.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity. The EPSS score is not available, so no current exploitation probability is reported. The vulnerability is not listed in CISA’s KEV catalog. The exploit necessitates authenticated access to the media upload function and a local storage configuration; once satisfied, an attacker can place malicious code in the web root and execute it.

Generated by OpenCVE AI on May 9, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AzuraCast to version 0.23.6 or later to apply the patch that sanitizes the currentDirectory parameter.
  • Configure the media storage backend to prevent uploads from reaching the web‑root directory, or switch to a non‑local storage solution that isolates uploaded files.
  • Revoke media‑management permissions from users who do not require file upload capabilities to reduce the attack surface.

Generated by OpenCVE AI on May 9, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vp2f-cqqp-478j AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload
History

Sat, 09 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Azuracast
Azuracast azuracast
Vendors & Products Azuracast
Azuracast azuracast

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
Title AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Azuracast Azuracast
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:44:05.893Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42605

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:30.020

Modified: 2026-05-09T20:16:30.020

Link: CVE-2026-42605

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T22:00:14Z

Weaknesses