CVE-2026-35033

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any...

EUVD-2026-22768

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any...

PT-2026-32958

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.7 Description An unauthenticated arbitrary file read is possible via ffmpeg argument injection through the query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds lowercase...

PT-2025-16473 · Jellyfin +1 · Jellyfin +1

Name of the Vulnerable Software and Affected Versions: Jellyfin versions prior to 10.10.7 Description: Jellyfin is an open source self-hosted media server. The issue concerns argument injection in FFmpeg, which can potentially lead to remote code execution by anyone with credentials to a...