Azuracast

AzuraCast is vulnerable to a Liquidsoap code injection vulnerability due to the incomplete migration from `cleanUpString()` to `toRawString()` in the remote relay password field, allowing a user with the `RemoteRelays` station permission to inject arbitrary Liquidsoap code by exploiting nested interpolation syntax, leading to arbitrary code execution, API key disclosure, and station disruption.

AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.