CVE-2026-42605— AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42605
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
Source: NVD (National Vulnerability Database)
Vulnerability Description
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
AzuraCast 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
AzuraCast是AzuraCast公司的一个简单的自托管网络广播管理套件。 AzuraCast 0.23.6之前版本存在路径遍历漏洞,该漏洞源于Flow.js媒体上传端点中currentDirectory请求参数未进行路径遍历序列清理,可能导致具有媒体管理权限的认证用户通过写入PHP webshell到web根目录实现远程代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42605
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Qwen3.6-35B-A3B · 11108 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-42605
请登录查看更多情报信息。
- Release 0.23.6 · AzuraCast/AzuraCast · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42605
IV. Related Vulnerabilities
Same vendor: AzuraCast
Same weakness: CWE-22
- CVE-2026-44647
OneDev: Path Traversal (read capability via Git LFS pointer - CVE-2026-27886
Strapi may leak sensitive data via relational filtering due - CVE-2026-42598
Pode: Directory Traversal is possible on Static Routes - CVE-2026-44542
FileBrowser Quantum: Unauthenticated Path Traversal in Publi - CVE-2026-42593
Gotenberg: Arbitrary PDF read via stampExpression and waterm
V. Comments for CVE-2026-42605
No comments yet