The versions of RuneAudio on the official downloads page have known unpatched vulnerabilities such as the KRACK wpa2 vulnerability. By default those downloads also come with SSH enabled and a default username/password printed on the public site. There are newer inofficial/beta versions and instructions for updates scattered throughout the forum, but the documentation page doesn't say anything about that.
Shouldn't a notice be put on the downloads/documentation pages that the versions there are end of life and not receiving security updates?
Edit: There is more. In recent weeks there has been news about exploits against localhost/LAN services through DNS rebinding methods by malicious sites through a LAN users browser.See for example this Ars Technica piece
https://arstechnica.com/information-tec ... -computer/AFAICT RuneAudio could also be vulnerable to such attacks. What could happen? Well for a start an attacker (or their automatic scripts) could access the /dev page and change stuff. Since RuneAudio has no feature for password restricting access to only some LAN devices. But the gap in updates to RuneAudio also increases the risk that there are unpatched vulnerabilities in Arch, PHP, javascript etc that a DNS rebind attacker could exploit through as a second step.
by SlF » 11 Apr 2017, 12:17 
