28 matches found
CVE-2026-49247
Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a...
CVE-2026-48793
Jellyfin is affected by CVE-2026-48793 prior to version 10.11.10. The issue arises in the subtitle conversion path where SubtitleEncoder.ConvertTextSubtitleToSrtInternal interpolates the subtitle file path into FFmpeg command-line arguments without normalizing the path, allowing injection of arbi...
PT-2026-52066
Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.10 Description Missing path sanitization during playback allows the use of a specially crafted MKV file with forged filename tags to redirect attachment extraction to any absolute path on the disk. This occurs...
CVE-2026-35031
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint POST /Videos/itemId/Subtitles, where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. Th...
CVE-2026-35033
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any...
CVE-2026-35034
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint POST /SyncPlay/New, where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By...
CVE-2023-49096
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the /Videos//stream and /Videos//stream. endpoints which are present in the current Jellyfin version. Additional endpoints in the...
EUVD-2022-6613
Malicious code in bioql PyPI...
EUVD-2023-27723
Malicious code in bioql PyPI...
EUVD-2023-30943
Malicious code in bioql PyPI...
EUVD-2023-1255
Malicious code in bioql PyPI...
CVE-2023-27161
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery SSRF via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request...
CVE-2023-30626
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability CVE-2023-30627, this can result...
CVE-2021-21402
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are exposed to the public...
CVE-2021-29490
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery SSRF attacks via the imageUrl parameter. This issue potentially exposes both internal and...
CVE-2025-31499
Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in...
CVE-2025-31499
Jellyfin CVE-2025-31499 affects versions before 10.10.7. An FFmpeg argument-injection flaw exists in endpoints such as /Videos//stream and /Videos//stream. (and similar in AudioController), allowing unsanitized parameters to reach FFmpeg’s command line. This can enable arbitrary file writes and p...
CVE-2025-31499 Jellyfin Vulnerable to Argument Injection in FFmpeg
Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in...
CVE-2025-32012 Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any device in the same...
CVE-2025-32012
Summary: CVE-2025-32012 affects Jellyfin versions 10.9.0 through 10.10.6, where the "/System/Restart" admin endpoint can be spoofed to restart the server by unauthenticated attackers on the same LAN, due to how the source IP is determined. Impact: Unauthenticated DoS against default-configured Je...