Critical Vulnerability Information Vulnerability Title Clickjacking in the UI leads to unauthorized actions being performed Severity Severity: Moderate (5.4 / 10) Affected Versions Affected versions: <=v2025.122.141614 Patched Versions Patched versions: 2025.628.4510 CVSS v3 Base Metrics Attack vector: Network Attack complexity: Low Privileges required: None User interaction: Required Scope: Unchanged Confidentiality: None Integrity: Low Availability: Low CVE ID CVE-2025-53096 Weakness CWE-1021 Vulnerability Description Summary: - The web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. Impact: - An attacker can exploit the lack of Clickjacking protections in the Sunshine web UI to perform actions as an authenticated user, such as unpairing clients, changing the configuration, or restarting the Sunshine instance. Fix Fix: - The bug was patched by 2f27a57. Additional Information Credits: - asfla: Remediation developer - ReenigneArcher: Remediation verifier