CVE-2026-35033
Jellyfin before version 10.11.7 is affected by an unauthenticated arbitrary file read via ffmpeg argument injection in the StreamOptions parsing. The ParseStreamOptions method collects lowercase query parameters into a dictionary without validation, allowing them to be concatenated into the ffmpe...