Jellyfin
Monthly
Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.
Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.
Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.
Jellyfin is an open source self hosted media server. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.
Denial of service in Jellyfin versions prior to 10.11.7 allows authenticated users to exhaust server resources and crash the SyncPlay media synchronization service via the group creation endpoint (POST /SyncPlay/New) by submitting unbounded payload sizes. An attacker can lock out legitimate clients from accessing SyncPlay functionality and trigger out-of-memory conditions through insufficient input validation on group names and IDs. No public exploit code or active exploitation has been identified.
Arbitrary file read via ffmpeg argument injection in Jellyfin media server versions before 10.11.7 allows unauthenticated remote attackers to exfiltrate sensitive server files (including /etc/shadow) through malicious StreamOptions query parameters. The vulnerability bypasses input validation by exploiting the ParseStreamOptions method, which concatenates unsanitized lowercase query parameters directly into ffmpeg command lines, enabling drawtext filter injection to render file contents in video streams. CVSS 9.3 (Critical) with network attack vector and no authentication required. No public exploit identified at time of analysis, though the technical details in the advisory provide a clear exploitation path.
Jellyfin media server versions before 10.11.7 allow authenticated users to escalate privileges to administrator through a chained exploit involving M3U tuner SSRF, local file read, and database exfiltration. Any authenticated user can exploit this because the EnableLiveTvManagement permission defaults to enabled. The attack chain enables reading the Jellyfin database to extract admin session tokens, achieving full administrative control. CVSS 8.6 (High) reflects network-accessible attack requiring only low-privilege authentication. No active exploitation (CISA KEV) confirmed, but public disclosure via GitHub Security Advisory indicates exploit details are known.
Remote code execution as root in Jellyfin media server versions prior to 10.11.7 allows authenticated users with 'Upload Subtitles' permission to execute arbitrary code through a multi-stage attack chain exploiting path traversal in subtitle uploads, arbitrary file write, and ld.so.preload manipulation. CVSS 9.9 (Critical) reflects the complete system compromise potential. EPSS data not available. Not listed in CISA KEV, indicating no confirmed active exploitation at time of analysis. Attack requires low-privilege authenticated access but can escalate to full root-level code execution.
Jellyfin is an open source self hosted media server. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable.
Jellyfin is an open source self hosted media server. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, no authentication required.