Skip to main content

Jellyfin

22 CVEs product

Monthly

CVE-2026-49220 MEDIUM PATCH This Month

Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Jellyfin
NVD GitHub
CVSS 3.1
5.7
EPSS
0.2%
CVE-2026-48793 HIGH PATCH This Week

Arbitrary file write and information disclosure in Jellyfin self-hosted media server (all versions prior to 10.11.10) arise from FFmpeg argument injection in the subtitle conversion path. Because SubtitleController.GetSubtitle carries no [Authorize] attribute, an attacker who can place a maliciously named file into a Jellyfin media library directory (e.g., via a shared NAS, Samba share, or guest upload) can break FFmpeg's argument quoting on Linux and inject arbitrary FFmpeg flags. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated endpoint and high CVSS (8.8) make it a meaningful concern for exposed instances.

Information Disclosure Jellyfin
NVD GitHub
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-49246 LOW PATCH Monitor

Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.

Path Traversal Jellyfin
NVD GitHub
CVSS 4.0
1.7
EPSS
0.3%
CVE-2026-49247 HIGH PATCH This Week

Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.

Path Traversal Jellyfin
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-35034 MEDIUM PATCH This Month

Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.

Denial Of Service Jellyfin
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35033 CRITICAL PATCH Act Now

Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.

Authentication Bypass Jellyfin
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-35032 HIGH PATCH This Week

Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.

SSRF Jellyfin
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-35031 CRITICAL PATCH NEWS Act Now

Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.

Privilege Escalation RCE Path Traversal Jellyfin
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2025-31499 HIGH PATCH This Week

Jellyfin is an open source self hosted media server. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.

RCE Jellyfin
NVD GitHub
CVSS 4.0
7.6
EPSS
0.7%
CVE-2025-32012 MEDIUM PATCH This Month

Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.

RCE Authentication Bypass Jellyfin
NVD GitHub
CVSS 4.0
4.6
EPSS
1.7%
CVE-2024-43801 MEDIUM PATCH This Month

Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

XSS Information Disclosure Jellyfin
NVD GitHub
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-48702 HIGH POC PATCH This Week

Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Jellyfin
NVD GitHub
CVSS 3.1
7.2
EPSS
1.2%
CVE-2023-49096 HIGH POC PATCH This Week

Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Jellyfin
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2023-30627 MEDIUM POC PATCH This Month

jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE XSS Jellyfin
NVD GitHub
CVSS 3.1
5.4
EPSS
1.3%
CVE-2023-30626 NuGet HIGH POC PATCH This Week

Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal XSS Jellyfin
NVD GitHub
CVSS 3.1
8.1
EPSS
2.0%
CVE-2023-27161 HIGH POC This Week

Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jellyfin
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
1.0%
CVE-2023-23636 npm MEDIUM POC PATCH This Month

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jellyfin
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2023-23635 npm MEDIUM POC PATCH This Month

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jellyfin
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-35910 MEDIUM POC PATCH This Month

In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Jellyfin
NVD GitHub
CVSS 3.1
5.4
EPSS
0.7%
CVE-2022-35909 NuGet HIGH POC PATCH This Week

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Jellyfin
NVD GitHub
CVSS 3.1
8.8
EPSS
1.3%
CVE-2021-29490 MEDIUM POC PATCH THREAT This Month

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Jellyfin
NVD GitHub
CVSS 3.1
5.8
EPSS
69.9%
CVE-2021-21402 MEDIUM POC PATCH THREAT This Month

Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Microsoft Path Traversal Jellyfin
NVD GitHub
CVSS 3.1
6.5
EPSS
79.9%
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

Stored XSS in Jellyfin's administrative dashboard allows a low-privileged user to execute arbitrary JavaScript in the browser context of a logged-in administrator. The `Client` header supplied during an `AuthenticateByName` API request is stored without sanitization and rendered unescaped when an administrator visits the Access tab of that user's profile in the dashboard. Affecting all versions prior to 10.11.9, successful exploitation could enable admin session hijacking, credential exfiltration, or unauthorized administrative actions; no public exploit or CISA KEV listing has been identified at time of analysis.

XSS Jellyfin
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file write and information disclosure in Jellyfin self-hosted media server (all versions prior to 10.11.10) arise from FFmpeg argument injection in the subtitle conversion path. Because SubtitleController.GetSubtitle carries no [Authorize] attribute, an attacker who can place a maliciously named file into a Jellyfin media library directory (e.g., via a shared NAS, Samba share, or guest upload) can break FFmpeg's argument quoting on Linux and inject arbitrary FFmpeg flags. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV, but the unauthenticated endpoint and high CVSS (8.8) make it a meaningful concern for exposed instances.

Information Disclosure Jellyfin
NVD GitHub
EPSS 0% CVSS 1.7
LOW PATCH Monitor

Path traversal in Jellyfin prior to 10.11.10 enables an attacker who can place a crafted MKV file in a victim's Jellyfin library to redirect the server's MKV attachment extraction routine to arbitrary absolute filesystem paths on the host. The flaw originates in .NET's Path.Combine behavior: Jellyfin passes the unsanitized MKV filename tag directly into Path.Combine(attachmentFolder, fileName), and .NET silently ignores the base path when the second argument is rooted, enabling full path override. Exploitation is triggered automatically whenever any Jellyfin client plays the affected file with subtitle burning enabled, which is the default behavior. No public exploit has been identified at time of analysis, and the CVSS 4.0 score of 1.7 reflects high complexity and low integrity-only impact.

Path Traversal Jellyfin
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary file write in Jellyfin media server (10.9.0 through 10.11.9) lets any authenticated non-admin user abuse the POST /ClientLog/Document endpoint to plant attacker-controlled content outside the intended log directory. The endpoint trusts the Client and Version fields of the Authorization header and uses them unsanitized to build the on-disk filename, so embedding ../ sequences in the Client field redirects writes to any path reachable by the Jellyfin service account, with a forced .log extension. No public exploit has been identified at time of analysis, and the issue is fixed in 10.11.10.

Path Traversal Jellyfin
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.

Denial Of Service Jellyfin
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.

Authentication Bypass Jellyfin
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.

SSRF Jellyfin
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.

Privilege Escalation RCE Path Traversal +1
NVD GitHub
EPSS 1% CVSS 7.6
HIGH PATCH This Week

Jellyfin is an open source self hosted media server. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.

RCE Jellyfin
NVD GitHub
EPSS 2% CVSS 4.6
MEDIUM PATCH This Month

Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.

RCE Authentication Bypass Jellyfin
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

XSS Information Disclosure Jellyfin
NVD GitHub
EPSS 1% CVSS 7.2
HIGH POC PATCH This Week

Jellyfin is a system for managing and streaming media. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Command Injection Jellyfin
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

Jellyfin is a Free Software Media System for managing and streaming media. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Jellyfin
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

jellyfin-web is the web client for Jellyfin, a free-software media system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE XSS Jellyfin
NVD GitHub
EPSS 2% CVSS 8.1
HIGH POC PATCH This Week

Jellyfin is a free-software media system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Path Traversal XSS +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Jellyfin
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jellyfin
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Jellyfin
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

In Jellyfin before 10.8, stored XSS allows theft of an admin access token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

XSS Jellyfin
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Jellyfin
NVD GitHub
EPSS 70% CVSS 5.8
MEDIUM POC PATCH THREAT This Month

Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Server-Side Request Forgery (SSRF) vulnerability could allow attackers to make the server perform requests to unintended internal or external resources.

SSRF Jellyfin
NVD GitHub
EPSS 80% CVSS 6.5
MEDIUM POC PATCH THREAT This Month

Jellyfin is a Free Software Media System. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Microsoft Path Traversal Jellyfin
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy