VIR Vulnerability Intelligence Relay

CVE-2026-42605

high
Published 2026-05-04 · Modified 2026-05-13
CVSS v3
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk
8.8

Description

AzuraCast has Path Traversal in `currentDirectory` Parameter that Enables Remote Code Execution via Media Upload

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d

Package impact
EcosystemPackageVulnerableFixed
php Packagistazuracast/azuracast<=0.23.5
php Packagistazuracast/azuracast<0.23.60.23.6
php COMPOSERazuracast/azuracast<= 0.23.50.23.6

Application impact
VendorProductVersionsFixed
azuracastazuracast{"endExcluding":"0.23.6"}0.23.6

References

CWEs

CWE-22

Verify integrity in audit chain (admin only). AS-IS.