Jellyfin
Monthly
Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.
Arbitrary file write and information disclosure in Jellyfin self-hosted media server (all versions prior to 10.11.10) arise from FFmpeg argument injection in the subtitle conversion path. Because SubtitleController.GetSubtitle carries no [Authorize] attribute, an attacker who can place a maliciously named file into a Jellyfin media library directory (e.g., via a shared NAS, Samba share, or guest upload) can break FFmpeg's argument quoting on Linux and inject arbitrary FFmpeg flags. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated endpoint and high CVSS (8.8) make it a meaningful concern for exposed instances.
Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.
Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.
Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.
Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.
Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.
Jellyfin is an open source self hosted media server. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.
Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.
Arbitrary file write and information disclosure in Jellyfin self-hosted media server (all versions prior to 10.11.10) arise from FFmpeg argument injection in the subtitle conversion path. Because SubtitleController.GetSubtitle carries no [Authorize] attribute, an attacker who can place a maliciously named file into a Jellyfin media library directory (e.g., via a shared NAS, Samba share, or guest upload) can break FFmpeg's argument quoting on Linux and inject arbitrary FFmpeg flags. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated endpoint and high CVSS (8.8) make it a meaningful concern for exposed instances.
Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.
Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.
Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.
Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.
Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.
Jellyfin is an open source self hosted media server. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.
Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.
Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.