Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
19 vulnerabilities by jellyfin
CVE-2026-35034 (GCVE-0-2026-35034)
Vulnerability from cvelistv5 – Published: 2026-04-14 22:31 – Updated: 2026-04-15 17:48
VLAI?
Title
Jellyfin: Potential Application DoS from excessively large SyncPlay group names
Summary
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7.
Severity ?
6.5 (Medium)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35034",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T17:48:33.580055Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T17:48:39.733Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T22:31:44.796Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-v2jv-54xj-h76w",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-v2jv-54xj-h76w"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7"
}
],
"source": {
"advisory": "GHSA-v2jv-54xj-h76w",
"discovery": "UNKNOWN"
},
"title": "Jellyfin: Potential Application DoS from excessively large SyncPlay group names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35034",
"datePublished": "2026-04-14T22:31:44.796Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-15T17:48:39.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35033 (GCVE-0-2026-35033)
Vulnerability from cvelistv5 – Published: 2026-04-14 22:28 – Updated: 2026-04-15 13:36
VLAI?
Title
Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection
Summary
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7.
Severity ?
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35033",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T13:36:17.456385Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T13:36:26.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T22:29:33.684Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7"
}
],
"source": {
"advisory": "GHSA-jh22-fw8w-2v9x",
"discovery": "UNKNOWN"
},
"title": "Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35033",
"datePublished": "2026-04-14T22:28:47.558Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-15T13:36:26.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35032 (GCVE-0-2026-35032)
Vulnerability from cvelistv5 – Published: 2026-04-14 22:25 – Updated: 2026-04-15 20:02
VLAI?
Title
Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner
Summary
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.
Severity ?
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35032",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-15T18:45:46.875262Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T20:02:29.887Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73: External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T22:25:35.729Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7"
}
],
"source": {
"advisory": "GHSA-8fw7-f233-ffr8",
"discovery": "UNKNOWN"
},
"title": "Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35032",
"datePublished": "2026-04-14T22:25:35.729Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-15T20:02:29.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35031 (GCVE-0-2026-35031)
Vulnerability from cvelistv5 – Published: 2026-04-14 22:18 – Updated: 2026-04-16 13:56
VLAI?
Title
Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain
Summary
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.
Severity ?
10 (Critical)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T13:55:27.873525Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T13:56:06.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.11.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the \"Upload Subtitles\" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-187",
"description": "CWE-187: Partial String Comparison",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T22:18:30.565Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7"
}
],
"source": {
"advisory": "GHSA-j2hf-x4q5-47j3",
"discovery": "UNKNOWN"
},
"title": "Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35031",
"datePublished": "2026-04-14T22:18:30.565Z",
"dateReserved": "2026-03-31T21:06:06.427Z",
"dateUpdated": "2026-04-16T13:56:06.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31852 (GCVE-0-2026-31852)
Vulnerability from cvelistv5 – Published: 2026-03-11 17:04 – Updated: 2026-03-11 17:40
VLAI?
Title
Jellyfin Possible Organization/Secret Compromise from dangerous CI implementation
Summary
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.
Severity ?
10 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jellyfin | code-quality.yml |
Affected:
< 109217e75f38394b2f6e46e25dfe5a721203d3c8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31852",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T17:39:52.124826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T17:40:14.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "code-quality.yml",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 109217e75f38394b2f6e46e25dfe5a721203d3c8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow\u0027s elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T17:04:53.881Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh"
},
{
"name": "https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8"
}
],
"source": {
"advisory": "GHSA-7qhm-2m45-7fmh",
"discovery": "UNKNOWN"
},
"title": "Jellyfin Possible Organization/Secret Compromise from dangerous CI implementation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31852",
"datePublished": "2026-03-11T17:04:53.881Z",
"dateReserved": "2026-03-09T19:02:25.010Z",
"dateUpdated": "2026-03-11T17:40:14.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31499 (GCVE-0-2025-31499)
Vulnerability from cvelistv5 – Published: 2025-04-15 20:36 – Updated: 2025-04-16 14:43
VLAI?
Title
Jellyfin Vulnerable to Argument Injection in FFmpeg
Summary
Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in CVE-2023-49096 and patched in version 10.8.13, but the patch can be bypassed. The original fix sanitizes some parameters to make injection impossible, but certain unsanitized parameters can still be used for argument injection. The same unauthenticated endpoints are vulnerable: /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container>, likely alongside similar endpoints in AudioController. This argument injection can be exploited to achieve arbitrary file write, leading to possible remote code execution through the plugin system. While the unauthenticated endpoints are vulnerable, a valid itemId is required for exploitation and any authenticated attacker could easily retrieve a valid itemId to make the exploit work. This vulnerability is patched in version 10.10.7.
Severity ?
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31499",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-16T14:43:21.340572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-16T14:43:50.406Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in CVE-2023-49096 and patched in version 10.8.13, but the patch can be bypassed. The original fix sanitizes some parameters to make injection impossible, but certain unsanitized parameters can still be used for argument injection. The same unauthenticated endpoints are vulnerable: /Videos/\u003citemId\u003e/stream and /Videos/\u003citemId\u003e/stream.\u003ccontainer\u003e, likely alongside similar endpoints in AudioController. This argument injection can be exploited to achieve arbitrary file write, leading to possible remote code execution through the plugin system. While the unauthenticated endpoints are vulnerable, a valid itemId is required for exploitation and any authenticated attacker could easily retrieve a valid itemId to make the exploit work. This vulnerability is patched in version 10.10.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:36:24.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-2c3c-r7gp-q32m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-2c3c-r7gp-q32m"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/79f3ce53257c5291887cd52d8ac735b5252c9a97",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/commit/79f3ce53257c5291887cd52d8ac735b5252c9a97"
}
],
"source": {
"advisory": "GHSA-2c3c-r7gp-q32m",
"discovery": "UNKNOWN"
},
"title": "Jellyfin Vulnerable to Argument Injection in FFmpeg"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-31499",
"datePublished": "2025-04-15T20:36:24.078Z",
"dateReserved": "2025-03-28T13:36:51.300Z",
"dateUpdated": "2025-04-16T14:43:50.406Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32012 (GCVE-0-2025-32012)
Vulnerability from cvelistv5 – Published: 2025-04-15 20:08 – Updated: 2025-04-15 20:13
VLAI?
Title
Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing
Summary
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7.
Severity ?
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-15T20:13:02.935150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:13:13.413Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.9.0, \u003c 10.10.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same local network as the Jellyfin server. Due to the method Jellyfin uses to determine the source IP of a request, an unauthenticated attacker is able to spoof their IP to appear as a LAN IP, allowing them to restart the Jellyfin server process without authentication. This means that an unauthenticated attacker could mount a denial-of-service attack on any default-configured Jellyfin server by simply sending the same spoofed request every few seconds to restart the server over and over. This method of IP spoofing also bypasses some security mechanisms, cause a denial-of-service attack, and possible bypass the admin restart requirement if combined with remote code execution. This issue is patched in version 10.10.7."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "CWE-290: Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T20:08:52.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-qcmf-gmhm-rfv9"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/commit/f625665cb116a7e3feb8b79aaf1ed39a956e0585"
}
],
"source": {
"advisory": "GHSA-qcmf-gmhm-rfv9",
"discovery": "UNKNOWN"
},
"title": "Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-32012",
"datePublished": "2025-04-15T20:08:52.658Z",
"dateReserved": "2025-04-01T21:57:32.952Z",
"dateUpdated": "2025-04-15T20:13:13.413Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43801 (GCVE-0-2024-43801)
Vulnerability from cvelistv5 – Published: 2024-09-02 16:26 – Updated: 2024-09-03 19:16
VLAI?
Title
Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin
Summary
Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potential malicious SVG) to be treated as attachments and thus downloaded by browsers, rather than viewed. This prevents exploitation of the LocalStorage of the browser. This PR has been merged and the relevant code changes are included in release version 10.9.10. All users are advised to upgrade.
Severity ?
4.6 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43801",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-03T13:51:21.573474Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-03T14:13:03.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-09-03T19:16:00.791Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://happy-little-accidents.pages.dev/posts/CVE-2024-43801/"
}
],
"title": "CVE Program Container",
"x_generator": {
"engine": "ADPogram 0.0.1"
}
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.8.0, \u003c 10.9.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via \"view image\" in a browser), this malicious SVG file could interact with the browser\u0027s LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin\u0027s WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potential malicious SVG) to be treated as attachments and thus downloaded by browsers, rather than viewed. This prevents exploitation of the LocalStorage of the browser. This PR has been merged and the relevant code changes are included in release version 10.9.10. All users are advised to upgrade."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-02T16:26:58.884Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-vcmh-9wx9-rfqh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-vcmh-9wx9-rfqh"
},
{
"name": "https://github.com/jellyfin/jellyfin/pull/12490",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/pull/12490"
}
],
"source": {
"advisory": "GHSA-vcmh-9wx9-rfqh",
"discovery": "UNKNOWN"
},
"title": "Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-43801",
"datePublished": "2024-09-02T16:26:58.884Z",
"dateReserved": "2024-08-16T14:20:37.326Z",
"dateUpdated": "2024-09-03T19:16:00.791Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-48702 (GCVE-0-2023-48702)
Vulnerability from cvelistv5 – Published: 2023-12-13 20:53 – Updated: 2024-08-02 21:37
VLAI?
Title
Jellyfin Possible Remote Code Execution via custom FFmpeg binary
Summary
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13.
Severity ?
7.2 (High)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:37:54.384Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/"
},
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.8.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-13T20:53:28.786Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://securitylab.github.com/advisories/GHSL-2023-028_jellyfin/"
},
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rr9h-w522-cvmr"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86"
}
],
"source": {
"advisory": "GHSA-hh6p-h87c-xph5",
"discovery": "UNKNOWN"
},
"title": "Jellyfin Possible Remote Code Execution via custom FFmpeg binary"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-48702",
"datePublished": "2023-12-13T20:53:28.786Z",
"dateReserved": "2023-11-17T19:43:37.554Z",
"dateUpdated": "2024-08-02T21:37:54.384Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49096 (GCVE-0-2023-49096)
Vulnerability from cvelistv5 – Published: 2023-12-06 19:14 – Updated: 2025-05-28 15:44
VLAI?
Title
Argument Injection in FFmpeg codec parameters in Jellyfin
Summary
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. In order to exploit this vulnerability an unauthenticated attacker has to guess an itemId, which is a completely random GUID. It’s a very unlikely case even for a large media database with lots of items. Without an additional information leak, this vulnerability shouldn’t be directly exploitable, even if the instance is reachable from the Internet. There are a lot of query parameters that get accepted by the method. At least two of those, videoCodec and audioCodec are vulnerable to the argument injection. The values can be traced through a lot of code and might be changed in the process. However, the fallback is to always use them as-is, which means we can inject our own arguments. Those arguments land in the command line of FFmpeg. Because UseShellExecute is always set to false, we can’t simply terminate the FFmpeg command and execute our own. It should only be possible to add additional arguments to FFmpeg, which is powerful enough as it stands. There is probably a way of overwriting an arbitrary file with malicious content. This vulnerability has been addressed in version 10.8.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity ?
7.7 (High)
CWE
- CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:28.800Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4"
},
{
"name": "https://github.com/jellyfin/jellyfin/issues/5415",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/issues/5415"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a"
},
{
"name": "https://cwe.mitre.org/data/definitions/88.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/88.html"
},
{
"name": "https://en.wikipedia.org/wiki/Pass_the_hash",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://en.wikipedia.org/wiki/Pass_the_hash"
},
{
"name": "https://ffmpeg.org/ffmpeg-filters.html#drawtext-1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ffmpeg.org/ffmpeg-filters.html#drawtext-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49096",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-28T15:44:06.949596Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-28T15:44:52.025Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.8.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/\u003citemId\u003e/stream` and `/Videos/\u003citemId\u003e/stream.\u003ccontainer\u003e` endpoints which are present in the current Jellyfin version. Additional endpoints in the AudioController might also be vulnerable, as they differ only slightly in execution. Those endpoints are reachable by an unauthenticated user. In order to exploit this vulnerability an unauthenticated attacker has to guess an itemId, which is a completely random GUID. It\u2019s a very unlikely case even for a large media database with lots of items. Without an additional information leak, this vulnerability shouldn\u2019t be directly exploitable, even if the instance is reachable from the Internet. There are a lot of query parameters that get accepted by the method. At least two of those, videoCodec and audioCodec are vulnerable to the argument injection. The values can be traced through a lot of code and might be changed in the process. However, the fallback is to always use them as-is, which means we can inject our own arguments. Those arguments land in the command line of FFmpeg. Because UseShellExecute is always set to false, we can\u2019t simply terminate the FFmpeg command and execute our own. It should only be possible to add additional arguments to FFmpeg, which is powerful enough as it stands. There is probably a way of overwriting an arbitrary file with malicious content. This vulnerability has been addressed in version 10.8.13. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-06T19:14:11.108Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-866x-wj5j-2vf4"
},
{
"name": "https://github.com/jellyfin/jellyfin/issues/5415",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/issues/5415"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/commit/a656799dc879d16d21bf2ce7ad412ebd5d45394a"
},
{
"name": "https://cwe.mitre.org/data/definitions/88.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/88.html"
},
{
"name": "https://en.wikipedia.org/wiki/Pass_the_hash",
"tags": [
"x_refsource_MISC"
],
"url": "https://en.wikipedia.org/wiki/Pass_the_hash"
},
{
"name": "https://ffmpeg.org/ffmpeg-filters.html#drawtext-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://ffmpeg.org/ffmpeg-filters.html#drawtext-1"
}
],
"source": {
"advisory": "GHSA-866x-wj5j-2vf4",
"discovery": "UNKNOWN"
},
"title": "Argument Injection in FFmpeg codec parameters in Jellyfin"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-49096",
"datePublished": "2023-12-06T19:14:11.108Z",
"dateReserved": "2023-11-21T18:57:30.430Z",
"dateUpdated": "2025-05-28T15:44:52.025Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30627 (GCVE-0-2023-30627)
Vulnerability from cvelistv5 – Published: 2023-04-24 20:07 – Updated: 2025-02-12 16:34
VLAI?
Title
jellyfin-web has a stored cross-site scripting vulnerability in devices.js
Summary
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who's running it. This issue is patched in version 10.8.10. There are no known workarounds.
Severity ?
9.1 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jellyfin | jellyfin-web |
Affected:
>= 10.1.0, < 10.8.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:51.834Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
},
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
},
{
"name": "https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee"
},
{
"name": "https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T20:58:45.527693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:34:53.533Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin-web",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.1.0, \u003c 10.8.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When combined with CVE-2023-30626, this results in remote code execution on the Jellyfin instance in the context of the user who\u0027s running it. This issue is patched in version 10.8.10. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-24T20:07:27.588Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
},
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
},
{
"name": "https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin-web/commit/b88a5951e1a517ff4c820e693d9c0da981cf68ee"
},
{
"name": "https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin-web/releases/tag/v10.8.10"
}
],
"source": {
"advisory": "GHSA-89hp-h43h-r5pq",
"discovery": "UNKNOWN"
},
"title": "jellyfin-web has a stored cross-site scripting vulnerability in devices.js"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30627",
"datePublished": "2023-04-24T20:07:27.588Z",
"dateReserved": "2023-04-13T13:25:18.833Z",
"dateUpdated": "2025-02-12T16:34:53.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-30626 (GCVE-0-2023-30626)
Vulnerability from cvelistv5 – Published: 2023-04-24 20:06 – Updated: 2025-02-12 16:34
VLAI?
Title
Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution
Summary
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.
Severity ?
8.8 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:28:52.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
},
{
"name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
},
{
"name": "https://github.com/jellyfin/jellyfin/pull/5918",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/pull/5918"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
},
{
"name": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-30626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T21:00:37.114609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T16:34:36.816Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003e= 10.8.0, \u003c 10.8.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-24T20:06:39.400Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-9p5f-5x8v-x65m"
},
{
"name": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin-web/security/advisories/GHSA-89hp-h43h-r5pq"
},
{
"name": "https://github.com/jellyfin/jellyfin/pull/5918",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/pull/5918"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/commit/82ad2633fdfb1c37a158057c7935f83e1129eda7"
},
{
"name": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/blob/22d880662283980dec994cd7d35fe269613bfce3/Jellyfin.Api/Controllers/ClientLogController.cs#L44"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.8.10"
}
],
"source": {
"advisory": "GHSA-9p5f-5x8v-x65m",
"discovery": "UNKNOWN"
},
"title": "Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-30626",
"datePublished": "2023-04-24T20:06:39.400Z",
"dateReserved": "2023-04-13T13:25:18.833Z",
"dateUpdated": "2025-02-12T16:34:36.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-27161 (GCVE-0-2023-27161)
Vulnerability from cvelistv5 – Published: 2023-03-10 00:00 – Updated: 2025-02-28 21:41
VLAI?
Summary
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.
Severity ?
7.5 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:01:32.519Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "http://jellyfin.com"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin"
},
{
"tags": [
"x_transferred"
],
"url": "https://notes.sjtu.edu.cn/s/yJ9lPk09a"
},
{
"tags": [
"x_transferred"
],
"url": "https://gist.github.com/b33t1e/5c067e0538a0b712dc3d59bd4b9a5952"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-28T21:39:54.264536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-28T21:41:04.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-31T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://jellyfin.com"
},
{
"url": "https://github.com/jellyfin/jellyfin"
},
{
"url": "https://notes.sjtu.edu.cn/s/yJ9lPk09a"
},
{
"url": "https://gist.github.com/b33t1e/5c067e0538a0b712dc3d59bd4b9a5952"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-27161",
"datePublished": "2023-03-10T00:00:00.000Z",
"dateReserved": "2023-02-27T00:00:00.000Z",
"dateUpdated": "2025-02-28T21:41:04.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23636 (GCVE-0-2023-23636)
Vulnerability from cvelistv5 – Published: 2023-02-03 00:00 – Updated: 2025-03-26 18:44
VLAI?
Summary
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.642Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin-web/issues/3788"
},
{
"tags": [
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/usd-2022-0030/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23636",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:03:14.544387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:44:45.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://herolab.usd.de/security-advisories/"
},
{
"url": "https://github.com/jellyfin/jellyfin-web/issues/3788"
},
{
"url": "https://herolab.usd.de/security-advisories/usd-2022-0030/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-23636",
"datePublished": "2023-02-03T00:00:00.000Z",
"dateReserved": "2023-01-16T00:00:00.000Z",
"dateUpdated": "2025-03-26T18:44:45.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-23635 (GCVE-0-2023-23635)
Vulnerability from cvelistv5 – Published: 2023-02-03 00:00 – Updated: 2025-03-26 18:34
VLAI?
Summary
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
Severity ?
5.4 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:35:33.632Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin-web/issues/3788"
},
{
"tags": [
"x_transferred"
],
"url": "https://herolab.usd.de/security-advisories/usd-2022-0031/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-23635",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-26T15:09:37.455255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-26T18:34:46.262Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-02-03T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://herolab.usd.de/security-advisories/"
},
{
"url": "https://github.com/jellyfin/jellyfin-web/issues/3788"
},
{
"url": "https://herolab.usd.de/security-advisories/usd-2022-0031/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-23635",
"datePublished": "2023-02-03T00:00:00.000Z",
"dateReserved": "2023-01-16T00:00:00.000Z",
"dateUpdated": "2025-03-26T18:34:46.262Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35909 (GCVE-0-2022-35909)
Vulnerability from cvelistv5 – Published: 2022-08-19 11:52 – Updated: 2024-08-03 09:44
VLAI?
Summary
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:22.196Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/pull/7569/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T11:52:55.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/pull/7569/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35909",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit",
"refsource": "MISC",
"url": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit"
},
{
"name": "https://github.com/jellyfin/jellyfin/pull/7569/files",
"refsource": "MISC",
"url": "https://github.com/jellyfin/jellyfin/pull/7569/files"
},
{
"name": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058",
"refsource": "MISC",
"url": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35909",
"datePublished": "2022-08-19T11:52:55.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:44:22.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-35910 (GCVE-0-2022-35910)
Vulnerability from cvelistv5 – Published: 2022-08-19 11:52 – Updated: 2024-08-03 09:44
VLAI?
Summary
In Jellyfin before 10.8, stored XSS allows theft of an admin access token.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:44:22.154Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/pull/7569/files"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Jellyfin before 10.8, stored XSS allows theft of an admin access token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-08-19T11:52:33.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/pull/7569/files"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-35910",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Jellyfin before 10.8, stored XSS allows theft of an admin access token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit",
"refsource": "MISC",
"url": "https://docs.google.com/document/d/1cBXQrokCvWxKET4BKi3ZLtVp5gst6-MrGPgMKpfXw8Y/edit"
},
{
"name": "https://github.com/jellyfin/jellyfin/pull/7569/files",
"refsource": "MISC",
"url": "https://github.com/jellyfin/jellyfin/pull/7569/files"
},
{
"name": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058",
"refsource": "MISC",
"url": "https://medium.com/stolabs/cve-2022-35909-cve-2022-35910-incorrect-access-control-and-xss-stored-to-jellyfin-967359c91058"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-35910",
"datePublished": "2022-08-19T11:52:33.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2024-08-03T09:44:22.154Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29490 (GCVE-0-2021-29490)
Vulnerability from cvelistv5 – Published: 2021-05-05 18:25 – Updated: 2024-08-03 22:11
VLAI?
Title
Unauthenticated GET requests through Remote Image endpoints
Summary
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs.
Severity ?
5.8 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:05.554Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c= 10.7.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-05T18:25:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96"
}
],
"source": {
"advisory": "GHSA-rgjw-4fwc-9v96",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated GET requests through Remote Image endpoints",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-29490",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated GET requests through Remote Image endpoints"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jellyfin",
"version": {
"version_data": [
{
"version_value": "\u003c= 10.7.2"
}
]
}
}
]
},
"vendor_name": "jellyfin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and external HTTP servers or other resources available via HTTP `GET` that are visible from the Jellyfin server. The vulnerability is patched in version 10.7.3. As a workaround, disable external access to the API endpoints `/Items/*/RemoteImages/Download`, `/Items/RemoteSearch/Image` and `/Images/Remote` via reverse proxy, or limit to known-friendly IPs."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-918 Server-Side Request Forgery (SSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96",
"refsource": "CONFIRM",
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-rgjw-4fwc-9v96"
}
]
},
"source": {
"advisory": "GHSA-rgjw-4fwc-9v96",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-29490",
"datePublished": "2021-05-05T18:25:13.000Z",
"dateReserved": "2021-03-30T00:00:00.000Z",
"dateUpdated": "2024-08-03T22:11:05.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21402 (GCVE-0-2021-21402)
Vulnerability from cvelistv5 – Published: 2021-03-23 19:35 – Updated: 2024-08-03 18:09
VLAI?
Title
Unauthenticated Arbitrary File Access in Jellyfin
Summary
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible.
Severity ?
7.7 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.077Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "jellyfin",
"vendor": "jellyfin",
"versions": [
{
"status": "affected",
"version": "\u003c 10.7.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server\u0027s file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-03-23T19:35:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1"
}
],
"source": {
"advisory": "GHSA-wg4c-c9g9-rxhx",
"discovery": "UNKNOWN"
},
"title": "Unauthenticated Arbitrary File Access in Jellyfin",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21402",
"STATE": "PUBLIC",
"TITLE": "Unauthenticated Arbitrary File Access in Jellyfin"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "jellyfin",
"version": {
"version_data": [
{
"version_value": "\u003c 10.7.1"
}
]
}
}
]
},
"vendor_name": "jellyfin"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server\u0027s file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public Internet are potentially at risk. This is fixed in version 10.7.1. As a workaround, users may be able to restrict some access by enforcing strict security permissions on their filesystem, however, it is recommended to update as soon as possible."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx",
"refsource": "CONFIRM",
"url": "https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx"
},
{
"name": "https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7",
"refsource": "MISC",
"url": "https://github.com/jellyfin/jellyfin/commit/0183ef8e89195f420c48d2600bc0b72f6d3a7fd7"
},
{
"name": "https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1",
"refsource": "MISC",
"url": "https://github.com/jellyfin/jellyfin/releases/tag/v10.7.1"
}
]
},
"source": {
"advisory": "GHSA-wg4c-c9g9-rxhx",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21402",
"datePublished": "2021-03-23T19:35:13.000Z",
"dateReserved": "2020-12-22T00:00:00.000Z",
"dateUpdated": "2024-08-03T18:09:16.077Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}