NVD HIGH: CVE-2026-42606 — AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to vers...
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the
CVE-2026-42606