Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

17 matches found

RedhatCVE
RedhatCVEadded 2 days ago4 views

CVE-2026-41167

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS6AI score0.00111EPSS
Exploits0References1
NVD
NVDadded 2026/04/22 9:17 p.m.1 views

CVE-2026-41167

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS0.00111EPSS
Exploits0References2
Cvelist
Cvelistadded 2026/04/22 8:39 p.m.24 views

CVE-2026-41167 Jellystat has SQL Injection that leads to to Remote Code Execution

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS0.00111EPSS
Exploits0References2
ATTACKERKB
ATTACKERKBadded 2026/04/22 8:39 p.m.1 views

CVE-2026-41167

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS6.1AI score0.00111EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichmentadded 2026/04/22 8:39 p.m.1 views

CVE-2026-41167 Jellystat has SQL Injection that leads to to Remote Code Execution

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS6.1AI score0.00111EPSS
Exploits0References2
CVE
CVEadded 2026/04/22 8:39 p.m.9 views

CVE-2026-41167

Jellystat prior to 1.1.10 exposes SQL injection via POST /api/getUserDetails and POST /api/getLibrary, where unsanitized request-body fields are interpolated into raw SQL. This allows an authenticated user to read any table (including app_config) and, due to node-postgres simple query usage, enab...

9.1CVSS6.1AI score0.00111EPSS
Exploits0References2
EUVD
EUVDadded 2026/04/22 8:39 p.m.2 views

EUVD-2026-25098

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS6.1AI score0.00111EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/04/22 12:0 a.m.3 views

PT-2026-34561

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

9.1CVSS6.1AI score0.00111EPSS
Exploits0References4
CNNVD
CNNVDadded 2026/04/22 12:0 a.m.3 views

Jellystat SQL注入漏洞

Jellystat is a free and open-source statistical application developed by Thegan Govender as an individual project. Versions of Jellystat prior to 1.1.10 contained a SQL injection vulnerability. This vulnerability stemmed from multiple API endpoints that constructed queries by directly inserting...

9.1CVSS6.2AI score0.00111EPSS
Exploits0References1
EUVD
EUVDadded 2025/10/03 8:7 p.m.1 views

EUVD-2025-3991

Malicious code in bioql PyPI...

8.7CVSS6.6AI score0.00192EPSS
Exploits0References3
RedhatCVE
RedhatCVEadded 2025/02/07 9:49 a.m.5 views

CVE-2025-24960

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the routes. This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admins, there is very little scope for abuse. However, the DELETE...

8.7CVSS6.7AI score0.00192EPSS
Exploits0References1
NVD
NVDadded 2025/02/03 9:15 p.m.2 views

CVE-2025-24960

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the routes. This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admins, there is very little scope for abuse. However, the DELETE...

8.7CVSS0.00192EPSS
Exploits0References3
Cvelist
Cvelistadded 2025/02/03 8:40 p.m.18 views

CVE-2025-24960 Missing Input validation for filename in backups endpoint in Jellystat

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the routes. This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admins, there is very little scope for abuse. However, the DELETE...

8.7CVSS0.00192EPSS
Exploits0References3
OSV
OSVadded 2025/02/03 8:40 p.m.2 views

CVE-2025-24960 Missing Input validation for filename in backups endpoint in Jellystat

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the routes. This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admins, there is very little scope for abuse. However, the DELETE...

8.7CVSS6.7AI score0.00192EPSS
Exploits0References5
CVE
CVEadded 2025/02/03 8:40 p.m.44 views

CVE-2025-24960

Jellystat (Jellyfin stats app) is affected by a path traversal vulnerability in versions before 1.1.3, caused by directly using user input in routing. The issue enables deletion of arbitrary files via the DELETE files/:filename endpoint. The vulnerability is mitigated by upgrading to 1.1.3; no pu...

8.7CVSS8.6AI score0.00192EPSS
Exploits0References3
Vulnrichment
Vulnrichmentadded 2025/02/03 8:40 p.m.5 views

CVE-2025-24960 Missing Input validation for filename in backups endpoint in Jellystat

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the routes. This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admins, there is very little scope for abuse. However, the DELETE...

8.7CVSS8.6AI score0.00192EPSS
Exploits0References3
CNNVD
CNNVDadded 2025/02/03 12:0 a.m.0 views

Jellystat 路径遍历漏洞

Jellystat is a free open source statistics application from the individual developer Thegan Govender. A path traversal vulnerability exists in versions of Jellystat prior to 1.1.2, which stems from the direct use of user input in routing, resulting in a path traversal vulnerability that allows th...

8.7CVSS6.8AI score0.00192EPSS
Exploits0References3
Rows per page
Query Builder