In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 09-10, 2026.
During this period, The National Vulnerability Database published 70, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 12
Medium: 12
Low: 14
Severity Not Assigned: 29
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2026-44313
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.3
Description: Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for "http://" or "https://" prefixes. This issue has been patched in version 2.13.0.
References: https://github.com/linkwarden/linkwarden/security/advisories/GHSA-5qpc-x7rv-hvmp
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
2. CVE-2026-41705
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.
Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
References: https://spring.io/security/cve-2026-41705
CWE-ID: CWE-917
Common Platform Enumerations (CPE): Not Found
3. CVE-2026-6664
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.
References: https://www.pgbouncer.org/changelog.html#pgbouncer-125x
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
4. CVE-2026-6665
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
References: https://www.pgbouncer.org/changelog.html#pgbouncer-125x
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
5. CVE-2026-41311
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.
References: https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0
https://github.com/harttle/liquidjs/releases/tag/v10.25.7
https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548
CWE-ID: CWE-674
Common Platform Enumerations (CPE): Not Found
6. CVE-2026-42296
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5.
References: https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
7. CVE-2026-42301
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
References: https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1
https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw
CWE-ID: CWE-20 CWE-94
Common Platform Enumerations (CPE): Not Found
8. CVE-2026-42560
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.
References: https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
https://github.com/go-pkgz/auth/releases/tag/v1.25.2
https://github.com/go-pkgz/auth/releases/tag/v2.1.2
https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
9. CVE-2026-3828
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
References: https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-switch-product/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2026-42562
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
References: https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc
https://github.com/alextselegidis/plainpad/issues/138
https://github.com/alextselegidis/plainpad/releases/tag/1.1.1
https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
11. CVE-2026-42569
Base Score: 9.4
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.5
Description: phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
References: https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
https://github.com/phpvms/phpvms/releases/tag/7.0.6
https://github.com/phpvms/phpvms/releases/tag/7.0.7
https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
CWE-ID: CWE-284 CWE-306 CWE-862
Common Platform Enumerations (CPE): Not Found
12. CVE-2026-42574
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
References: https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
https://github.com/chainguard-dev/apko/pull/2187
https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6
CWE-ID: CWE-22 CWE-59
Common Platform Enumerations (CPE): Not Found
13. CVE-2026-42575
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
References: https://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa
https://github.com/chainguard-dev/apko/releases/tag/v1.2.7
https://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m
CWE-ID: CWE-345 CWE-494
Common Platform Enumerations (CPE): Not Found
14. CVE-2026-42605
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
References: https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
15. CVE-2026-42606
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
References: https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8
CWE-ID: CWE-640
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 09-10, 2026.
During this period, The National Vulnerability Database published 70, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 3
High: 12
Medium: 12
Low: 14
Severity Not Assigned: 29
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2026-44313
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.1
Impact Score: 5.3
Description: Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. Prior to version 2.13.0, a Server-Side Request Forgery (SSRF) vulnerability in the fetchTitleAndHeaders function allows authenticated users to make arbitrary HTTP requests to internal services due to insufficient URL validation that only checks for "http://" or "https://" prefixes. This issue has been patched in version 2.13.0.
References: https://github.com/linkwarden/linkwarden/security/advisories/GHSA-5qpc-x7rv-hvmp
CWE-ID: CWE-918
Common Platform Enumerations (CPE): Not Found
2. CVE-2026-41705
Base Score: 8.6
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 4.7
Description: Spring AI's MilvusVectorStore#doDelete(List) implementation is vulnerable to filter-expression injection via unsanitized document IDs.
Spring AI 1.0.x: affected from 1.0.0 through latest 1.0.x; upgrade to 1.0.7 or greater. Spring AI 1.1.x: affected from 1.1.0 through latest 1.1.x; upgrade to 1.1.6 or greater.
References: https://spring.io/security/cve-2026-41705
CWE-ID: CWE-917
Common Platform Enumerations (CPE): Not Found
3. CVE-2026-6664
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: An integer overflow in network packet parsing code in PgBouncer before 1.25.2 bypasses a boundary check and can lead to a crash. An unauthenticated remote attacker can crash PgBouncer with a malformed SCRAM authentication packet.
References: https://www.pgbouncer.org/changelog.html#pgbouncer-125x
CWE-ID: CWE-190
Common Platform Enumerations (CPE): Not Found
4. CVE-2026-6665
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM client-final-message. A malicious backend that sends a SCRAM server-final-message with a long nonce can trigger a stack overflow.
References: https://www.pgbouncer.org/changelog.html#pgbouncer-125x
CWE-ID: CWE-121
Common Platform Enumerations (CPE): Not Found
5. CVE-2026-41311
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.7, a circular block reference in {% layout %} / {% block %} causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with FATAL ERROR: JavaScript heap out of memory. This allows any user who can submit a Liquid template to perform a Denial of Service attack. This issue has been patched in version 10.25.7.
References: https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0
https://github.com/harttle/liquidjs/releases/tag/v10.25.7
https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548
CWE-ID: CWE-674
Common Platform Enumerations (CPE): Not Found
6. CVE-2026-42296
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.7.14 and 4.0.5, a user with create Workflow permission can bypass templateReferencing: Strict to get host network access, switch service accounts, override pod security context, add tolerations to schedule on control-plane nodes, or enable SA token mounting. This defeats the stated purpose of the feature. The practical impact depends on what Kubernetes-level controls are in place. Clusters with PodSecurity admission or OPA/Gatekeeper would independently block some of these (like hostNetwork). Clusters that rely on Argo's Strict mode as the primary enforcement layer are fully exposed. This issue has been patched in versions 3.7.14 and 4.0.5.
References: https://github.com/argoproj/argo-workflows/commit/534f4ff1cbd86908e8ff76d97d553ad5a49a950d
https://github.com/argoproj/argo-workflows/releases/tag/v3.7.14
https://github.com/argoproj/argo-workflows/releases/tag/v4.0.5
https://github.com/argoproj/argo-workflows/security/advisories/GHSA-3775-99mw-8rp4
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
7. CVE-2026-42301
Base Score: 7.8
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 5.9
Description: pyp2spec generates working Fedora RPM spec file for Python projects. Prior to version 0.14.1, pyp2spec was writing PyPI package metadata (e.g. the summary field) into the generated spec file without escaping RPM macro directives. When a packager then runs rpmbuild, those directives get evaluated, so a malicious package can execute arbitrary commands on the build machine. This issue has been patched in version 0.14.1.
References: https://github.com/befeleme/pyp2spec/releases/tag/v0.14.1
https://github.com/befeleme/pyp2spec/security/advisories/GHSA-r35x-v8p8-xvhw
CWE-ID: CWE-20 CWE-94
Common Platform Enumerations (CPE): Not Found
8. CVE-2026-42560
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: auth provides authentication via oauth2, direct and email. From versions 1.18.0 to before 1.25.2 and 2.0.0 to before 2.1.2, the Patreon OAuth provider maps every authenticated Patreon account to the same local user.ID, instead of deriving a unique ID from the Patreon account returned by Patreon. In practice, this means all Patreon-authenticated users of an application using this library are collapsed into a single local identity. Any application that trusts token.User.ID as the stable account key can end up mixing or fully merging unrelated Patreon users, which can lead to cross-account access, privilege confusion, and subscription-state leakage. This issue has been patched in versions 1.25.2 and 2.1.2.
References: https://github.com/go-pkgz/auth/commit/c0b15ee72a8401da83c01781c16636c521f42698
https://github.com/go-pkgz/auth/releases/tag/v1.25.2
https://github.com/go-pkgz/auth/releases/tag/v2.1.2
https://github.com/go-pkgz/auth/security/advisories/GHSA-f6qq-3m3h-4g42
CWE-ID: CWE-287
Common Platform Enumerations (CPE): Not Found
9. CVE-2026-3828
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: Some Hikvision switch products (discontinued since December 2023) are vulnerable to authenticated remote command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
References: https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-switch-product/
CWE-ID: Not assigned as of now
Common Platform Enumerations (CPE): Not Found
10. CVE-2026-42562
Base Score: 8.3
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.5
Description: Plainpad is a self hosted note taking app. Prior to version 1.1.1, Plainpad allows a low-privilege authenticated user to self-escalate to administrator by submitting admin=true in PUT /api.php/v1/users/{id}. The endpoint directly persists the admin attribute from user input, and the escalated account can immediately access admin-only routes. This issue has been patched in version 1.1.1.
References: https://github.com/alextselegidis/plainpad/commit/9216a876d27b22c3d9259551636d803f7cb075fc
https://github.com/alextselegidis/plainpad/issues/138
https://github.com/alextselegidis/plainpad/releases/tag/1.1.1
https://github.com/alextselegidis/plainpad/security/advisories/GHSA-pvfv-wvpm-q6f6
CWE-ID: CWE-269
Common Platform Enumerations (CPE): Not Found
11. CVE-2026-42569
Base Score: 9.4
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.5
Description: phpVMS is a PHP application to run and simulate an airline. Prior to version 7.0.6, a critical vulnerability in phpVMS allowed unauthenticated access to a legacy import feature. This issue has been patched in version 7.0.6.
References: https://github.com/phpvms/phpvms/commit/f59ba8e0e8fc25c60c3faf14e526cfd49df3f7dc
https://github.com/phpvms/phpvms/releases/tag/7.0.6
https://github.com/phpvms/phpvms/releases/tag/7.0.7
https://github.com/phpvms/phpvms/security/advisories/GHSA-fv26-4939-62fh
CWE-ID: CWE-284 CWE-306 CWE-862
Common Platform Enumerations (CPE): Not Found
12. CVE-2026-42574
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before version 1.2.5, a crafted .apk could install a TypeSymlink tar entry whose target pointed outside the build root, and a subsequent directory-creation or file-write entry in the same or later archive could traverse that symlink to reach host paths the build user could write to. This issue has been patched in version 1.2.5.
References: https://github.com/chainguard-dev/apko/commit/f5a96e1299ac81c7ea9441705ec467688086f442
https://github.com/chainguard-dev/apko/pull/2187
https://github.com/chainguard-dev/apko/releases/tag/v1.2.5
https://github.com/chainguard-dev/apko/security/advisories/GHSA-qq3r-w4hj-gjp6
CWE-ID: CWE-22 CWE-59
Common Platform Enumerations (CPE): Not Found
13. CVE-2026-42575
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: apko allows users to build and publish OCI container images built from apk packages. Prior to version 1.2.7, apko verifies the signature on APKINDEX.tar.gz but never compares individually downloaded .apk packages against the checksum recorded in the signed index. The checksum is parsed and available via ChecksumString(), and the downloaded package control hash is computed, but the two values are never compared in getPackageImpl(). Mismatched packages are silently accepted. An attacker who can substitute download responses (compromised mirror, HTTP repository, poisoned CDN cache) can install arbitrary packages into built images. This issue has been patched in version 1.2.7.
References: https://github.com/chainguard-dev/apko/commit/a118c3d604107532b5525bd4bee2fb369a6228aa
https://github.com/chainguard-dev/apko/releases/tag/v1.2.7
https://github.com/chainguard-dev/apko/security/advisories/GHSA-hcwr-pq9g-rq3m
CWE-ID: CWE-345 CWE-494
Common Platform Enumerations (CPE): Not Found
14. CVE-2026-42605
Base Score: 8.8
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.9
Description: AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the currentDirectory request parameter in the Flow.js media upload endpoint (POST /api/station/{station_id}/files/upload) is not sanitized for path traversal sequences. When combined with a local filesystem storage backend (the default), an authenticated user with media management permissions can write arbitrary files outside the station's media storage directory, achieving remote code execution by writing a PHP webshell to the web root. This issue has been patched in version 0.23.6.
References: https://github.com/AzuraCast/AzuraCast/commit/18c793b4427eb49e67a2fea99a89f1c9d9dd808d
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-vp2f-cqqp-478j
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
15. CVE-2026-42606
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.8
Impact Score: 5.2
Description: AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
References: https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8
CWE-ID: CWE-640
Common Platform Enumerations (CPE): Not Found