CVE-2025-53095

Name of the Vulnerable Software and Affected Versions: Sunshine versions prior to 2025.628.4510

Description: The issue is related to a lack of protection against Cross-Site Request Forgery (CSRF) attacks in the web UI of Sunshine. This allows an attacker to create a malicious web page that can trigger unintended actions within the Sunshine application on behalf of an authenticated user. The application's design to execute OS commands enables an attacker to abuse the "Command Preparations" feature, injecting arbitrary commands that will be executed with Administrator privileges when an application is launched.

Recommendations: For versions prior to 2025.628.4510, update to version 2025.628.4510 or later to resolve the issue. As a temporary workaround, consider restricting access to the web UI of Sunshine to minimize the risk of exploitation. Avoid using the Sunshine application until the issue is resolved.