27 matches found
CVE-2026-27793
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
CVE-2026-27792
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...
CVE-2026-27707
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...
CVE-2026-27792
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...
CVE-2026-27793
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
CVE-2026-27793
CVE-2026-27793 describes a broken access control in Seerr prior to 3.1.0, where the GET /api/v1/user/:id endpoint returns the full user settings object (including credentials for Pushover, Pushbullet, Telegram) to any authenticated requester, regardless of privileges. This allows eavesdropping of...
CVE-2026-27793 Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
CVE-2026-27793
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
CVE-2026-27793 Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
EUVD-2026-9055
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
CVE-2026-27793 Seerr has Broken Object-Level Authorization in User Profile Endpoint that Exposes Third-Party Notification Credentials
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Prior to version 3.1.0, the GET /api/v1/user/:id endpoint returns the full settings object for any user, including Pushover, Pushbullet, and Telegram credentials, to any authenticated requester regardless of...
CVE-2026-27792
CVE-2026-27792 affects Seerr, a media request/discovery manager. A missing authorization flaw on several pushSubscription API routes (due to absent isOwnProfileOrAdmin() middleware) allows authenticated users to access/modify other users’ data. Affected versions are 2.7.0–before 3.1.0; version 3....
CVE-2026-27792
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...
CVE-2026-27792 Seerr missing authentication on pushSubscription endpoints
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...
CVE-2026-27792 Seerr missing authentication on pushSubscription endpoints
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...
CVE-2026-27792 Seerr missing authentication on pushSubscription endpoints
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. A missing authorization vulnerability has been identified in the application starting in version 2.7.0 and prior to version 3.1.0. It allows authenticated users to access and modify data belonging to other...
CVE-2026-27707
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...
CVE-2026-27707 Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...
CVE-2026-27707 Plex-configured Seerr instances vulnerable to unauthenticated account registration via Jellyfin authentication endpoint
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in POST /api/v1/auth/jellyfin allows an unauthenticated attacker to register a new Seerr account on any Plex-configure...
CVE-2026-27707
Seerr (open‑source media request/discovery manager for Jellyfin, Plex, Emby) contains two related vulnerabilities tracked as CVE-2026-27707 and CVE-2026-27793. For versions 2.0.0 up to before 3.1.0, an authentication guard flaw in POST /api/v1/auth/jellyfin can allow an unauthenticated attacker t...