Ghsa

AzuraCast is vulnerable to a Liquidsoap code injection vulnerability due to the incomplete migration from `cleanUpString()` to `toRawString()` in the remote relay password field, allowing a user with the `RemoteRelays` station permission to inject arbitrary Liquidsoap code by exploiting nested interpolation syntax, leading to arbitrary code execution, API key disclosure, and station disruption.

A critical authentication bypass vulnerability in note-mark allows attackers to authenticate as any OIDC-registered user by submitting the password 'null' to the internal login endpoint due to a hardcoded bcrypt hash fallback, potentially leading to account takeover and persistent access.