Skip to main content

Jellyfin CVE-2026-49247

| EUVDEUVD-2026-39028 HIGH
Path Traversal (CWE-22)
2026-06-24 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.1 HIGH

Network, low-complexity, authenticated non-admin (PR:L), no UI; the primitive is an arbitrary .log write giving high integrity impact, no inherent read so C:N, and limited availability (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 20:03 EUVD
Analysis Generated
Jun 24, 2026 - 19:19 vuln.today

DescriptionCVE.org

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.

AnalysisAI

Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege account
Delivery
Craft Authorization header with ../ in Client field
Exploit
POST body to /ClientLog/Document
Execution
Server writes content to traversed path (.log)
Impact
Corrupt or stage files in service-user paths

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated non-admin Jellyfin account (CVSS PR:L) and the ability to send a POST request to the /ClientLog/Document endpoint over the network; the attacker supplies ../ traversal sequences in the Authorization header's Client field. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, base 8.8) reflects a network-reachable, low-complexity attack needing only a valid low-privilege account and no user interaction - realistic for any Jellyfin instance with self-registration or shared/family accounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user with an ordinary non-admin Jellyfin account authenticates and sends a POST /ClientLog/Document request whose Authorization header Client field contains ../ traversal sequences, causing Jellyfin to write the request body to a chosen path reachable by the service user, ending in .log. By overwriting or planting files the service can later read or act on in its context, the attacker corrupts data or stages further compromise. …
Remediation Upgrade to Jellyfin 10.11.10, which sanitizes the Client/Version header components before using them in log filenames (Vendor-released patch: 10.11.10); see https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jg92-mrxq-vv75. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Jellyfin installations in the environment and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-49096 HIGH POC
8.8 Dec 06

Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerab

CVE-2022-35909 HIGH POC
8.8 Aug 19

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (

CVE-2023-30626 HIGH POC
8.1 Apr 24

Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, lo

CVE-2023-27161 HIGH POC
7.5 Mar 10

Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. R

CVE-2023-48702 HIGH POC
7.2 Dec 13

Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely ex

CVE-2021-21402 MEDIUM POC
6.5 Mar 23

Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable,

CVE-2026-35031 CRITICAL
9.9 Apr 14

Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload

CVE-2021-29490 MEDIUM POC
5.8 May 06

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple ap

CVE-2023-30627 MEDIUM POC
5.4 Apr 24

jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulner

CVE-2023-23636 MEDIUM POC
5.4 Feb 03

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4),

CVE-2023-23635 MEDIUM POC
5.4 Feb 03

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4

CVE-2022-35910 MEDIUM POC
5.4 Aug 19

In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulner

Share

CVE-2026-49247 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy