CVE-2026-42605

Name of the Vulnerable Software and Affected Versions AzuraCast versions prior to 0.23.6

Description An issue exists in the Flow.js media upload endpoint 'POST /api/station/{station id}/files/upload' where the currentDirectory request parameter is not sanitized for path traversal sequences. When using the default local filesystem storage backend, an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory. This can lead to remote code execution by writing a PHP webshell to the web root. The flaw occurs because the currentDirectory value is prepended to the destination path after filename sanitization, and the system's upload process writes the file regardless of whether it passes MIME type validation.

Recommendations Update to version 0.23.6. As a temporary workaround, restrict access to the 'POST /api/station/{station id}/files/upload' endpoint to only highly trusted administrators until the update is applied.