CVE-2026-35032
Jellyfin (pre-10.11.7) has a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts) where tuner URLs aren’t validated, enabling local file reads via non-HTTP paths and SSRF via HTTP URLs. Exploitation is possible by any authenticated user because EnableLiveTvManagement def...