EUVD-2026-22764CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.
AnalysisAI
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all Jellyfin deployments and document current versions; restrict 'Upload Subtitles' permission to trusted administrative users only. Within 7 days: Upgrade all Jellyfin instances to version 10.11.7 or later per vendor advisory. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today