Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the /System/MediaEncoder/Path endpoint executes an arbitrary file using ProcessStartInfo via the ValidateVersion function. A malicious administrator can setup a network share and supply a UNC path to...
7.2CVSS
6.8AI Score
0.001EPSS
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the /Videos/<itemId>/stream and /Videos/<itemId>/stream.<container> endpoints which are present in the current Jelly...
8.8CVSS
9.1AI Score
0.001EPSS
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can...
8.8CVSS
6.5AI Score
0.001EPSS
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the REST endpoints with admin privileges. When combined with...
9CVSS
6.5AI Score
0.001EPSS
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST...
7.5CVSS
7.3AI Score
0.001EPSS
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the...
5.4CVSS
5.3AI Score
0.001EPSS
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the...
5.4CVSS
5.3AI Score
0.001EPSS
5.4CVSS
5.2AI Score
0.001EPSS
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin...
8.8CVSS
8.7AI Score
0.002EPSS
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes both internal and.....
5.8CVSS
5.8AI Score
0.002EPSS
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public...
7.7CVSS
6.1AI Score
0.263EPSS