Clickjacking Vulnerability in Sunshine Game Stream Host by LizardByte
CVE-2025-53096

5.4MEDIUM

Key Information:

Vendor: Lizardbyte
Status: Sunshine
Vendor: CVE Published:; 1 July 2025

What is CVE-2025-53096?

Sunshine, a self-hosted game stream host developed by LizardByte, is susceptible to Clickjacking attacks in its web interface before version 2025.628.4510. This vulnerability enables an attacker to embed the Sunshine UI inside a malicious site using transparent or disguised iframes. Users who unintentionally interact with the compromised site while logged into Sunshine may trigger unauthorized actions within their session, risking data integrity and user safety. To mitigate this risk, it is crucial for users to update to version 2025.628.4510, where this issue has been addressed.

Affected Version(s)

Sunshine < 2025.628.4510

References

https://github.com/LizardByte/Sunshine/security/advisorie...

x_refsource_CONFIRM

https://github.com/LizardByte/Sunshine/commit/2f27a57d019...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 1, 2025
Vulnerability Reserved
Jun 25, 2025

Lizardbyte

What is CVE-2025-53096?

Affected Version(s)

References

CVSS V3.1

Timeline