SB20260423144 - Code Injection in AzuraCast



SB20260423144 - Code Injection in AzuraCast

Published: April 23, 2026

Security Bulletin ID SB20260423144
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Code Injection (CVE-ID: N/A)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to code injection in ConfigWriter::cleanUpString() and the generated Liquidsoap configuration when processing station metadata and playlist URLs containing Liquidsoap string interpolation sequences. A remote user can supply crafted station metadata or a crafted playlist URL to execute arbitrary code.

User interaction is required because the injected code is evaluated when the station is restarted and Liquidsoap parses the generated configuration.


Remediation

Install update from vendor's website.