Main Vulnerability Database Vulnerabilities #VU127525

Code Injection in AzuraCast - #VU127525

Published: April 24, 2026

Vulnerability identifier: #VU127525

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: AzuraCast

Affected software:
AzuraCast

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper control of code generation in the remote relay password field in ConfigWriter.php when processing a crafted source_password value during Liquidsoap configuration generation. A remote user can send a specially crafted API request with nested interpolation syntax to execute arbitrary code.

The issue can also disclose the internal API key and requires the RemoteRelays station permission. Exploitation is triggered when the station configuration is regenerated and loaded by Liquidsoap.

Remediation

Install security update from vendor's website.

Sources

https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-q4ph-8x8g-95f8

Code Injection in AzuraCast - #VU127525

Detailed vulnerability description

Remediation

Sources

Please verify you're human