Buster Neece

5 exploits Active since Apr 2023
CVE-2026-42605 WRITEUP HIGH WRITEUP
AzuraCast: Path Traversal in `currentDirectory` Parameter Enables Remote Code Execution via Media Upload
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
CVSS 8.8
CVE-2026-42606 WRITEUP HIGH WRITEUP
AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
CVSS 8.1
CVE-2023-2191 WRITEUP MEDIUM WRITEUP
GitHub azuracast/azuracast <0.18 - XSS
Cross-site Scripting (XSS) - Stored in GitHub repository azuracast/azuracast prior to 0.18.
CVSS 4.8
CVE-2023-2531 WRITEUP CRITICAL WRITEUP
Azuracast < 0.18.3 - Improper Restriction of Excessive Authentication Attempts
Improper Restriction of Excessive Authentication Attempts in GitHub repository azuracast/azuracast prior to 0.18.3.
CVSS 9.8
CVE-2025-67737 WRITEUP LOW WRITEUP
AzuraCast < 0.23.2 - Missing Authorization in SFTP API Endpoint
AzuraCast is a self-hosted, all-in-one web radio management suite. Versions 0.23.1 mistakenly include an API endpoint that is intended for internal use by the SFTP software sftpgo, exposing it to the public-facing HTTP API for AzuraCast installations. A user with specific internal knowledge of a station's operations can craft a custom HTTP request that would affect the contents of a station's database, without revealing any internal information about the station. In order to carry out an attack, a malicious user would need to know a valid SFTP station username and the coordinating internal filesystem structure. This issue is fixed in version 0.23.2.
CVSS 3.1