EUVD-2026-9052

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...

CVE-2026-27707 Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...

CVE-2026-27707

Seerr (open‑source media request/discovery manager for Jellyfin, Plex, Emby) contains two related vulnerabilities tracked as CVE-2026-27707 and CVE-2026-27793. For versions 2.0.0 up to before 3.1.0, an authentication guard flaw in POST /api/v1/auth/jellyfin can allow an unauthenticated attacker t...

CVE-2026-27707 Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...

PT-2026-22380

Name of the Vulnerable Software and Affected Versions Seerr versions 2.0.0 through 3.0.9 Description Seerr is a media request and discovery manager for Jellyfin, Plex, and Emby. A flaw in the authentication guard logic within the /api/v1/auth/jellyfin API endpoint allows an unauthenticated attack...

CVE-2021-33959

Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service...

Plex Media Server <= 1.43.0.10389 Multiple Vulnerabilities

Plex Media Server is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:plex:plexmediaserver";...

CVE-2025-69415

In Plex Media Server PMS through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

CVE-2025-69416

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve other tokens intended for unrelated access via clients.plex.tv/devices.xml...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

CVE-2025-69416

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve other tokens intended for unrelated access via clients.plex.tv/devices.xml...

CVE-2025-69416

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve other tokens intended for unrelated access via clients.plex.tv/devices.xml...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

CVE-2025-69415

In Plex Media Server PMS through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

CVE-2025-69415

In Plex Media Server PMS through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...