Seerr
Monthly
Seerr prior to version 3.1.0 leaks sensitive third-party API credentials (Pushover, Pushbullet, Telegram) through the GET /api/v1/user/:id endpoint to any authenticated user regardless of privilege level. When combined with CVE-2026-27707 (unauthenticated account creation), an attacker can gain zero-prior-access to extract credentials for all users including administrators. The vulnerability is fixed in version 3.1.0.
Seerr versions 2.7.0 through 3.0.x contain an authorization bypass in push subscription API endpoints that allows authenticated users to read and modify other users' data due to missing permission checks. An attacker with valid credentials can exploit this to access sensitive information and alter configurations belonging to arbitrary accounts. The vulnerability is fixed in version 3.1.0.
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. [CVSS 7.3 HIGH]
Seerr prior to version 3.1.0 leaks sensitive third-party API credentials (Pushover, Pushbullet, Telegram) through the GET /api/v1/user/:id endpoint to any authenticated user regardless of privilege level. When combined with CVE-2026-27707 (unauthenticated account creation), an attacker can gain zero-prior-access to extract credentials for all users including administrators. The vulnerability is fixed in version 3.1.0.
Seerr versions 2.7.0 through 3.0.x contain an authorization bypass in push subscription API endpoints that allows authenticated users to read and modify other users' data due to missing permission checks. An attacker with valid credentials can exploit this to access sensitive information and alter configurations belonging to arbitrary accounts. The vulnerability is fixed in version 3.1.0.
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. [CVSS 7.3 HIGH]