Main Vulnerability Database Vulnerabilities #VU127151

Code Injection in AzuraCast - #VU127151

Published: April 23, 2026

Vulnerability identifier: #VU127151

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: AzuraCast

Affected software:
AzuraCast

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to code injection in ConfigWriter::cleanUpString() and the generated Liquidsoap configuration when processing station metadata and playlist URLs containing Liquidsoap string interpolation sequences. A remote user can supply crafted station metadata or a crafted playlist URL to execute arbitrary code.

User interaction is required because the injected code is evaluated when the station is restarted and Liquidsoap parses the generated configuration.

Remediation

Install security update from vendor's website.

Sources

https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-93fx-5qgc-wr38

Code Injection in AzuraCast - #VU127151

Detailed vulnerability description

Remediation

Sources

Please verify you're human