SB20260423144 - Code Injection in AzuraCast
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Code Injection (CVE-ID: N/A)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to code injection in ConfigWriter::cleanUpString() and the generated Liquidsoap configuration when processing station metadata and playlist URLs containing Liquidsoap string interpolation sequences. A remote user can supply crafted station metadata or a crafted playlist URL to execute arbitrary code.
User interaction is required because the injected code is evaluated when the station is restarted and Liquidsoap parses the generated configuration.
Remediation
Install update from vendor's website.