Main Vulnerability Database Vulnerabilities #VU127154

Path traversal in AzuraCast - #VU127154

Published: April 23, 2026

Vulnerability identifier: #VU127154

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: AzuraCast

Affected software:
AzuraCast

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to path traversal in the Flow.js media upload endpoint currentDirectory parameter when handling media upload requests. A remote user can upload a specially crafted file with traversal sequences in the currentDirectory parameter to execute arbitrary code.

Only instances using the local filesystem storage backend are vulnerable, and media management permissions are required.

Remediation

Install security update from vendor's website.

Sources

https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j

Path traversal in AzuraCast - #VU127154

Detailed vulnerability description

Remediation

Sources

Please verify you're human