What is CVE-2025-53096?

CVE-2025-53096 is a medium-severity vulnerability in Lizardbyte Sunshine, classified under Improper Restriction of Rendered UI Layers or Frames (Clickjacking). CVSS score: 5.4/10. Published 2025-07-01.

How severe is CVE-2025-53096?

Medium severity. CVSS v3 base score is 5.4 out of 10.

Is CVE-2025-53096 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Lizardbyte Sunshine

CVE-2025-53096

Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a…

EPSS: 0.002 (40.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.4 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L.

Affected products

Lizardbyte Sunshine — versions < 2025.628.4510

Weakness classification (CWE)

CWE-1021 — Improper Restriction of Rendered UI Layers or Frames (Clickjacking)

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/LizardByte/Sunshine/security/advisories/GHSA-x97g-h2vp-g2c5 (x_refsource_CONFIRM)
https://github.com/LizardByte/Sunshine/commit/2f27a57d01911436017f87bf08b9e36dcfaa86cc (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-53096?: CVE-2025-53096 is a medium-severity vulnerability in Lizardbyte Sunshine, classified under Improper Restriction of Rendered UI Layers or Frames (Clickjacking). CVSS score: 5.4/10. Published 2025-07-01.
How severe is CVE-2025-53096?: Medium severity. CVSS v3 base score is 5.4 out of 10.
Is CVE-2025-53096 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.