SCA: security update for azuracast/azuracast (GHSA-gv7r-3mr9-h5x8)

high Tenable Cloud Security Plugin ID 441102

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the
ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no
trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by
injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link,
their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real
instance to reset the victim's password and destroy their 2FA configuration, achieving full account
takeover. This issue has been patched in version 0.23.6. (CVE-2026-42606)

Solution

Update the azuracast/azuracast library and its related packages to version 0.23.6 or later.

See Also

https://github.com/advisories/GHSA-gv7r-3mr9-h5x8

Plugin Details

Severity: High

ID: 441102

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/5/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.88

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-42606

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/4/2026

Vulnerability Publication Date: 5/4/2026

Reference Information

CVE: CVE-2026-42606

cwe: CWE-640