Skip to main content

Jellyfin CVE-2026-35031

| EUVDEUVD-2026-22764 CRITICAL
Improper Input Validation (CWE-20)
2026-04-14 GitHub_M
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

10
Patch released
Apr 23, 2026 - 17:44 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
10.11.7
Analysis Generated
Apr 15, 2026 - 01:08 vuln.today
CVSS changed
Apr 14, 2026 - 23:22 NVD
10.0 (CRITICAL) 9.9 (CRITICAL)
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22764
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
CVE Published
Apr 14, 2026 - 22:18 nvd
CRITICAL 9.9

DescriptionGitHub Advisory

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

AnalysisAI

Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.

Technical ContextAI

Jellyfin is a self-hosted open-source media streaming platform built on .NET, managing video libraries and subtitle files. The vulnerability originates from improper input validation (CWE-20) in the subtitle upload REST API endpoint (POST /Videos/{itemId}/Subtitles). The Format field lacks sanitization, enabling path traversal attacks through malicious file extensions. This allows authenticated users to write files to arbitrary filesystem locations. The attack chain leverages Jellyfin's .strm file handling (playlist files containing URLs or file paths) to achieve arbitrary file read, exposing the SQLite database containing admin credentials. Escalated admin access enables manipulation of ld.so.preload, a dynamic linker configuration file that specifies shared libraries to be loaded before all others in any executed process. By injecting a malicious shared library path into ld.so.preload and triggering process execution, attackers gain code execution with root privileges due to Jellyfin's typical deployment configurations.

RemediationAI

Upgrade immediately to Jellyfin version 10.11.7 or later, which contains input validation fixes for the subtitle upload Format field. Release available at https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7. For environments unable to upgrade immediately, implement the vendor-recommended workaround: audit user permissions and revoke 'Upload Subtitles' permission from all non-administrator accounts to reduce attack surface to only administrator-level users. Note that this workaround does not eliminate risk if administrator accounts are compromised, only reduces the exposed user base. Additionally, implement network segmentation to restrict Jellyfin server access to trusted networks, enable comprehensive audit logging for subtitle upload operations, and monitor filesystem integrity for unexpected modifications to system configuration files like ld.so.preload. Review existing subtitle files and .strm playlist files for anomalies that may indicate prior exploitation.

CVE-2023-49096 HIGH POC
8.8 Dec 06

Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-35909 HIGH POC
8.8 Aug 19

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (

CVE-2023-30626 HIGH POC
8.1 Apr 24

Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, lo

CVE-2023-27161 HIGH POC
7.5 Mar 10

Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. R

CVE-2023-48702 HIGH POC
7.2 Dec 13

Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely ex

CVE-2021-21402 MEDIUM POC
6.5 Mar 23

Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2021-29490 MEDIUM POC
5.8 May 06

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple ap

CVE-2023-30627 MEDIUM POC
5.4 Apr 24

jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulner

CVE-2023-23636 MEDIUM POC
5.4 Feb 03

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4),

CVE-2023-23635 MEDIUM POC
5.4 Feb 03

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4

CVE-2022-35910 MEDIUM POC
5.4 Aug 19

In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulner

CVE-2026-35033 CRITICAL
9.3 Apr 14

Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticate

Share

CVE-2026-35031 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy