CVE-2026-42605 | AzuraCast up to 0.23.5 Request Parameter Flow.js /api/station/{station_id}/files/upload path traversal (GHSA-vp2f-cqqp-478j)

May 10, 2026 Yanac

A vulnerability was found in AzuraCast up to 0.23.5. It has been rated as critical. The affected element is the function /api/station/{station_id}/files/upload of the file Flow.js of the component Request Parameter Handler. This manipulation causes path traversal.

This vulnerability is tracked as CVE-2026-42605. The attack is possible to be carried out remotely. No exploit exists.

Upgrading the affected component is advised.VulDB Recent EntriesRead More