CVE-2025-53096

Published: Jul 1, 2025

Modified: Jul 1, 2025

PUBLISHED

CVSS v3.1

5.4

MEDIUM

Description

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.

Vendor	Product	Versions
LizardByte	Sunshine	affected `< 2025.628.4510`

Weaknesses (CWE)

CWE-1021

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

References

https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5

x_refsource_CONFIRM

https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-53096

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References