CVE-2026-35033

Jellyfin before version 10.11.7 is affected by an unauthenticated arbitrary file read via ffmpeg argument injection in the StreamOptions parsing. The ParseStreamOptions method collects lowercase query parameters into a dictionary without validation, allowing them to be concatenated into the ffmpe...

CVE-2026-35033 Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any...

CVE-2022-24739

alltube is an html front end for youtube-dl. On releases prior to 3.0.3, an attacker could craft a special HTML page to trigger either an open redirect attack or a Server-Side Request Forgery attack depending on how AllTube is configured. The impact is mitigated by the fact the SSRF attack is onl...

AllTube Download 代码问题漏洞

AllTube Download is a Youtube-dl Web Gui by Pierre Rudloff, an individual developer. AllTube Download suffers from a code issue vulnerability that stems from the fact that cross-site request forgery attacks can only occur on the HTML frontend of youtube-dl when Alltube has the "stream" option...