AzuraCast RCE via Path Traversal (CVE-2026-42605)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-22
AzuraCast RCE via Path Traversal (CVE-2026-42605)

The National Vulnerability Database has detailed CVE-2026-42605, a critical path traversal vulnerability in AzuraCast, a popular self-hosted web radio management suite. Prior to version 0.23.6, the currentDirectory parameter within the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) was not properly sanitized. This flaw, when combined with AzuraCast’s default local filesystem storage backend, allows an authenticated user with media management permissions to write arbitrary files outside their designated media storage directory.

This isn’t just a nuisance; it’s a remote code execution (RCE) vector. An attacker can leverage this path traversal to plant a PHP webshell directly into the web root. With a CVSS score of 8.8 (HIGH), the impact is severe, granting full control over the affected server. The National Vulnerability Database confirms this issue has been patched in version 0.23.6.

This highlights a common pitfall: assuming authenticated access inherently limits damage. Path traversal combined with arbitrary file write is always a bad day, especially when it leads to RCE. Defenders need to recognize that even ‘trusted’ user roles can be weaponized if input validation is weak.

What This Means For You

  • If your organization uses AzuraCast, verify immediately that all instances are updated to version 0.23.6 or later. Audit your web server logs for any suspicious file writes outside the normal media directories, particularly PHP files. This vulnerability allows an attacker to drop a webshell, giving them persistent access and control over your server. Don't assume your internal apps are safe from authenticated RCEs.

Related ATT&CK Techniques

T1078.004 Abuse Cloud Account Persistence T1505.003 Web Shell Persistence T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-42605 - AzuraCast Path Traversal to RCE via Media Upload

Sigma YAML — free preview 
title: CVE-2026-42605 - AzuraCast Path Traversal to RCE via Media Upload
id: scw-2026-05-09-ai-1
status: experimental
level: critical
description: |
  Detects the specific path traversal exploit targeting the AzuraCast media upload endpoint. The 'currentDirectory' parameter is manipulated with '../' sequences to write files outside the intended directory, leading to potential remote code execution.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42605/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri:
          - '/api/station/*/files/upload'
      cs-uri-query|contains:
          - 'currentDirectory=../'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42605 Path Traversal AzuraCast versions prior to 0.23.6
CVE-2026-42605 Path Traversal Vulnerable endpoint: POST /api/station/{station_id}/files/upload
CVE-2026-42605 Path Traversal Vulnerable parameter: currentDirectory in Flow.js media upload
CVE-2026-42605 RCE Achieved by writing a PHP webshell to the web root via path traversal

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8210 — Aandrew-Me Tgpt Command Injection

CVE-2026-8210 — A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8195 — JeecgBoot Vulnerability

CVE-2026-8195 — A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component...

vulnerabilityCVEmedium-severitycwe-79cwe-94
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8194 — OsTicket Vulnerability

CVE-2026-8194 — A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component...

vulnerabilityCVEmedium-severitycwe-352cwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 3 IOCs /⚙ 3 Sigma