Lucene search
K

255 matches found

Nuclei
Nuclei
added 18 hours ago82 views

Jellyfin 10.7.2 - Server Side Request Forgery

Jellyfin is a free software media system. Versions 10.7.2 and below are vulnerable to unauthenticated Server-Side Request Forgery SSRF attacks via the imageUrl parameter. id: CVE-2021-29490 info: name: Jellyfin 10.7.2 - Server Side Request Forgery author: alph4byt3 severity: medium description: |...

5.8CVSS6.3AI score0.69856EPSS
Exploits0References5
Nuclei
Nuclei
added 18 hours ago96 views

Jellyfin <10.7.0 - Local File Inclusion

Jellyfin before 10.7.0 is vulnerable to local file inclusion. This issue is more prevalent when Windows is used as the host OS. Servers exposed to public Internet are potentially at risk. id: CVE-2021-21402 info: name: Jellyfin 10.7.0 - Local File Inclusion author: dwisiswant0 severity: medium...

7.7CVSS6.6AI score0.79855EPSS
Exploits4References5
NVD
NVD
added 2026/06/24 7:17 p.m.10 views

CVE-2026-49220

Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header durin...

5.7CVSS0.00194EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 7:17 p.m.11 views

CVE-2026-49246

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file name tag on MKV attachments as trusted and passes it...

6.3CVSS0.00258EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 7:17 p.m.8 views

CVE-2026-49247

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a...

8.8CVSS0.00344EPSS
Exploits0References1
NVD
NVD
added 2026/06/24 7:17 p.m.12 views

CVE-2026-48793

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal SubtitleEncoder.cs, line 382 interpolates the subtitle file path into FFmpeg...

8.8CVSS0.00357EPSS
Exploits0References1
Snyk
Snyk
added 2026/06/24 7:15 p.m.7 views

Arbitrary Argument Injection

Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Arbitrary Argument Injection via the SubtitleEncoder.ConvertTextSubtitleToSrtInternal process. An attacker can achieve...

8.8CVSS6AI score0.00357EPSS
Exploits0References2
Snyk
Snyk
added 2026/06/24 7:15 p.m.6 views

Directory Traversal

Overview Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media. Affected versions of this package are vulnerable to Directory Traversal via the POST /ClientLog/Document endpoint, which uses unsanitized values from the Authorization header...

8.8CVSS6.5AI score0.00344EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 6:23 p.m.29 views

CVE-2026-49220 Jellyfin: Potential XSS in user management

Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header durin...

5.7CVSS0.00194EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 6:23 p.m.2 views

CVE-2026-49220

Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header durin...

5.7CVSS6.1AI score0.00194EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/06/24 6:22 p.m.42 views

CVE-2026-48793 Jellyfin: Potential FFmpeg argument injection via unescaped subtitle file path

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal SubtitleEncoder.cs, line 382 interpolates the subtitle file path into FFmpeg...

8.8CVSS0.00357EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:22 p.m.14 views

CVE-2026-48793

Jellyfin is affected by CVE-2026-48793 prior to version 10.11.10. The issue arises in the subtitle conversion path where SubtitleEncoder.ConvertTextSubtitleToSrtInternal interpolates the subtitle file path into FFmpeg command-line arguments without normalizing the path, allowing injection of arbi...

8.8CVSS6.1AI score0.00357EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 6:21 p.m.29 views

CVE-2026-49246 Jellyfin: Potential MKV attachment filename path traversal to RCE

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file name tag on MKV attachments as trusted and passes it...

6.3CVSS0.00258EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 6:21 p.m.4 views

CVE-2026-49246

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file name tag on MKV attachments as trusted and passes it...

6.3CVSS5.9AI score0.00258EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/24 6:21 p.m.8 views

CVE-2026-49246

Summary: Jellyfin is vulnerable to a path traversal leading to remote code execution via crafted MKV attachment filename tags. The issue stems from unsanitized input being passed to Path.Combine(attachmentFolder, fileName) in PathManager.GetAttachmentPath, where Path.Combine does not normalise or...

6.3CVSS5.9AI score0.00258EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 6:18 p.m.4 views

CVE-2026-49247

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a...

8.8CVSS6AI score0.00344EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/24 6:18 p.m.10 views

CVE-2026-49247

Jellyfin (open-source self-hosted media server) has a authenticated path-traversal vulnerability in the POST /ClientLog/Document endpoint affecting 10.9.0 through 10.11.10. The endpoint uses the Authorization header’s Client and Version fields to form on-disk filenames for client-uploaded log doc...

8.8CVSS6AI score0.00344EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 6:18 p.m.32 views

CVE-2026-49247 Jellyfin: Potential Authenticated path traversal in /ClientLog/Document

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a...

8.8CVSS0.00344EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.7 views

PT-2026-52059

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.10 Description An argument injection issue exists in the subtitle conversion process. The function ConvertTextSubtitleToSrtInternal interpolates the subtitle file path into FFmpeg command-line arguments without...

8.8CVSS5.9AI score0.00357EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.11 views

PT-2026-52066

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.10 Description Missing path sanitization during playback allows the use of a specially crafted MKV file with forged filename tags to redirect attachment extraction to any absolute path on the disk. This occurs...

6.3CVSS5.8AI score0.00258EPSS
Exploits0References4
Rows per page
Query Builder