CVE-2025-53096
- Source
- https://cve.org/CVERecord?id=CVE-2025-53096
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53096.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-53096
- Aliases
-
- GHSA-x97g-h2vp-g2c5
- Published
- 2025-07-01T01:33:01.336Z
- Modified
- 2026-04-12T17:04:16.572169Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
- Summary
- Sunshine clickjacking in the UI leads to unauthorized actions being performed
- Details
-
Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53096.json", "cwe_ids": [ "CWE-1021" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/lizardbyte/sunshine
Affected ranges
- Type
- GIT
- Repo
- https://github.com/lizardbyte/sunshine
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1.0
v0.1.1
v0.10.0
v0.11.0
v0.11.1
v0.2.0
v0.3.0
v0.3.1
v0.4.0
v0.8.0
v0.9.0
v2025.*
v2025.118.151840
v2025.122.141614
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53096.json"
vanir_signatures_modified
"2026-04-12T17:04:16Z"
vanir_signatures
[
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"212956361864509626197879692058320906524",
"184840781174164536877521092334400672444",
"283106148898810440707172633955193446049",
"268925405016830700229153979821007473362",
"255616432110605973807457280840205954922",
"203215498917427026273234561746737700266",
"240605006573948468832353187021843097117",
"213073478700809629252658669702218518016"
]
},
"deprecated": false,
"signature_type": "Line",
"id": "CVE-2025-53096-6ba58442",
"signature_version": "v1",
"source": "https://github.com/lizardbyte/sunshine/commit/65f14e1003f831e776c170621bd06d8292f65155",
"target": {
"file": "src/config.cpp"
}
}
]