5 matches found
CVE-2026-40348
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through POST /settings/jellyfin/server-url-verify. The endpoint accepts a user-controlled URL, appends...
PT-2026-33540
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through POST /settings/jellyfin/server-url-verify. The endpoint accepts a user-controlled URL, appends...
CVE-2026-27707 Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...
CVE-2026-27707
Seerr (open‑source media request/discovery manager for Jellyfin, Plex, Emby) contains two related vulnerabilities tracked as CVE-2026-27707 and CVE-2026-27793. For versions 2.0.0 up to before 3.1.0, an authentication guard flaw in POST /api/v1/auth/jellyfin can allow an unauthenticated attacker t...
CVE-2026-27707 Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...