Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network, low-complexity, authenticated non-admin (PR:L), no UI; the primitive is an arbitrary .log write giving high integrity impact, no inherent read so C:N, and limited availability (A:L).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.
AnalysisAI
Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated non-admin Jellyfin account (CVSS PR:L) and the ability to send a POST request to the /ClientLog/Document endpoint over the network; the attacker supplies ../ traversal sequences in the Authorization header's Client field. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) reflects a network-reachable, low-complexity attack needing only a valid low-privilege account and no user interaction - realistic for any Jellyfin instance with self-registration or shared/family accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with an ordinary non-admin Jellyfin account authenticates and sends a POST /ClientLog/Document request whose Authorization header Client field contains ../ traversal sequences, causing Jellyfin to write the request body to a chosen path reachable by the service user, ending in .log. By overwriting or planting files the service can later read or act on in its context, the attacker corrupts data or stages further compromise. … |
| Remediation | Upgrade to Jellyfin 10.11.10, which sanitizes the Client/Version header components before using them in log filenames (Vendor-released patch: 10.11.10); see https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jg92-mrxq-vv75. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Jellyfin installations in the environment and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerab
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (
Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, lo
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. R
Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely ex
Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple ap
jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulner
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4),
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4
In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulner
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39028