Media Server
Monthly
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. [CVSS 5.0 MEDIUM]
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. [CVSS 5.0 MEDIUM]
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. [CVSS 7.1 HIGH]
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. [CVSS 8.5 HIGH]
A security vulnerability in application uses a weak password (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.
Cleartext credential transmission vulnerability where a server accepts authentication methods that transmit credentials over unencrypted channels, allowing network-based attackers to intercept and expose user credentials without requiring authentication or user interaction. The vulnerability affects any server implementation supporting plaintext credential transmission over HTTP or other unencrypted protocols. This is a high-severity confidentiality issue (CVSS 7.5) with network-accessible attack vector and no complexity requirements, making it exploitable by unauthenticated remote attackers through passive network interception.
The application fails to implement several security headers. These headers help increase the overall security level of the web application by e.g., preventing the application to be displayed in an iFrame (Clickjacking attacks) or not executing injected malicious JavaScript code (XSS attacks).
The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.
CVE-2025-49189 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
CVE-2025-49183 is an unencrypted HTTP communication vulnerability in a REST API that exposes all traffic to network-level interception, allowing unauthenticated attackers to gather sensitive information and exfiltrate media files without authentication or user interaction required. The vulnerability affects systems using unencrypted REST API endpoints and carries a CVSS 7.5 score reflecting high confidentiality impact; real-world exploitation risk depends on network positioning and whether the affected API handles sensitive data or privileged operations.
Critical credential exposure vulnerability where admin login credentials and property configuration passwords are embedded directly in source code, enabling unauthenticated remote attackers to gain full administrative access to the affected application. The vulnerability has a CVSS score of 7.5 (High) with a network attack vector requiring no privileges or user interaction. While specific KEV/EPSS data and POC availability are not provided in the input, the presence of hardcoded credentials in source code represents a severe and often easily discoverable weakness that typically sees rapid exploitation once disclosed.
CVE-2025-49181 is an authorization bypass vulnerability in an unspecified API endpoint that allows unauthenticated remote attackers to read sensitive information via HTTP GET requests and modify service configuration (log paths, TCP ports) via HTTP POST requests, potentially causing denial of service. With a CVSS score of 8.6 and network-accessible attack vector requiring no authentication, this vulnerability presents a significant risk to exposed instances; KEV/EPSS/POC status cannot be confirmed from provided data, warranting immediate investigation of affected infrastructure.
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint. [CVSS 5.0 MEDIUM]
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml. [CVSS 5.0 MEDIUM]
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account. [CVSS 7.1 HIGH]
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token. [CVSS 8.5 HIGH]
A security vulnerability in application uses a weak password (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords and potentially compromising the FTP server.
Cleartext credential transmission vulnerability where a server accepts authentication methods that transmit credentials over unencrypted channels, allowing network-based attackers to intercept and expose user credentials without requiring authentication or user interaction. The vulnerability affects any server implementation supporting plaintext credential transmission over HTTP or other unencrypted protocols. This is a high-severity confidentiality issue (CVSS 7.5) with network-accessible attack vector and no complexity requirements, making it exploitable by unauthenticated remote attackers through passive network interception.
The application fails to implement several security headers. These headers help increase the overall security level of the web application by e.g., preventing the application to be displayed in an iFrame (Clickjacking attacks) or not executing injected malicious JavaScript code (XSS attacks).
The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives. This could potentially reveal confidential information or allow others to take control of their computer while clicking on seemingly innocuous objects.
CVE-2025-49189 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks.
CVE-2025-49183 is an unencrypted HTTP communication vulnerability in a REST API that exposes all traffic to network-level interception, allowing unauthenticated attackers to gather sensitive information and exfiltrate media files without authentication or user interaction required. The vulnerability affects systems using unencrypted REST API endpoints and carries a CVSS 7.5 score reflecting high confidentiality impact; real-world exploitation risk depends on network positioning and whether the affected API handles sensitive data or privileged operations.
Critical credential exposure vulnerability where admin login credentials and property configuration passwords are embedded directly in source code, enabling unauthenticated remote attackers to gain full administrative access to the affected application. The vulnerability has a CVSS score of 7.5 (High) with a network attack vector requiring no privileges or user interaction. While specific KEV/EPSS data and POC availability are not provided in the input, the presence of hardcoded credentials in source code represents a severe and often easily discoverable weakness that typically sees rapid exploitation once disclosed.
CVE-2025-49181 is an authorization bypass vulnerability in an unspecified API endpoint that allows unauthenticated remote attackers to read sensitive information via HTTP GET requests and modify service configuration (log paths, TCP ports) via HTTP POST requests, potentially causing denial of service. With a CVSS score of 8.6 and network-accessible attack vector requiring no authentication, this vulnerability presents a significant risk to exposed instances; KEV/EPSS/POC status cannot be confirmed from provided data, warranting immediate investigation of affected infrastructure.