14 matches found
CVE-2019-19141
The Plex Media Server CVE-2019-19141 vulnerability affects the Camera Upload feature through version 1.18.2.2029. It permits remote authenticated users to write files anywhere the Plex process user has permissions, enabling remote code execution. The described attack path includes directory trave...
CVE-2020-5741
Plex Media Server on Windows prior to version 1.19.3 is affected by CVE-2020-5741: an authenticated attacker can trigger unsafe Python pickle deserialization (Dict file) during camera-upload related processing, leading to remote code execution as the OS user who runs Plex. Public references descr...
CVE-2021-33959
Summary: Multiple sources report a DoS/reflection vulnerability in Plex Media Server affecting version 1.21 and earlier (with OpenVAS citing <1.21.3.4014). The Red Hat and CNNVD entries align on “Plex media server … ddos reflection attack via plex service.” The issue is described as an access-...
CVE-2020-5742
CVE-2020-5742 : Affected software is Plex Media Server. The vulnerability is due to improper access control, allowing any origin to execute cross-origin application requests prior to 2020-06-15. The root cause is inadequate restriction on cross-origin interactions, enabling potentially unauthoriz...
CVE-2020-5740
Plex Media Server (Windows) is affected by CVE-2020-5740 due to improper input validation. The vulnerability allows a local, unauthenticated attacker to execute arbitrary Python code with SYSTEM privileges through the Plex update service/related input handling. This is a local privilege-escalatio...
CVE-2018-21031
CVE-2018-21031 affects Tautulli versions up to 2.1.38. The flaw arises from mishandling the X-Plex-Token, which can be retrieved from Tautulli and used to bypass access controls on Plex Media Server. The description indicates the affected product is Tautulli (not Plex Media Server itself), and it...
CVE-2018-13415
CVE-2018-13415 affects Plex Media Server 1.13.2.5154, specifically the XML parsing engine used for SSDP/UPnP. The vulnerability is an XML External Entity Processing (XXE) flaw that allows unauthenticated attackers on the same network to: (1) read arbitrary files on the host filesystem, (2) establ...
CVE-2021-42835
Plex Media Server up to version 1.24.4.5081-e362dc1ee is affected by a TOCTOU race in the exposed RPC interface of the Product Update Service, enabling a local attacker with a low-privileged account to interact with the RPC and execute code from a chosen path (local or via SMB) with the update se...
CVE-2014-9304
Plex Media Server prior to 0.9.9.3 is affected. The issue allows remote attackers to bypass the web server whitelist, perform SSRF via multiple crafted X-Plex-Url headers to system/proxy, and take arbitrary administrative actions due to inconsistent processing in the backend request handler. Impa...
CVE-2014-9181
Plex Media Server (pre-0.9.9.3) is affected by CVE-2014-9181, which describes multiple directory traversal vulnerabilities that allow an attacker to read arbitrary files by supplying a .. sequence in the URI to endpoints such as manage/, web/, or resources/. The Red Hat advisory and CVE records c...
CVE-2025-69416
Summary of CVE-2025-69416 : In Plex Media Server (PMS) prior to or within versions affected by PMS build times up to 1.43.0.10389, a non-server device token can retrieve other tokens intended for unrelated access via the plex.tv backend (devices.xml). The connected OpenVAS entry corroborates a PM...
CVE-2025-69415
CVE-2025-69415 affects Plex Media Server (PMS). According to NVD/narratives, PMS <= 1.42.2.10156 allows accessing /myplex/account with a device token that is not properly aligned with the device’s current account association. The OpenVAS entry for Plex Media Server
CVE-2025-69414
Plex Media Server (PMS) shows token leakage vulnerabilities across multiple CVEs. Specifically, CVE-2025-69414 (PMS up to 1.42.2.10156) allows retrieval of a permanent access token via /myplex/account using a transient token. OpenVAS notes PMS
CVE-2025-69417
PVE-2025-69417 affects Plex Media Server (PMS) prior to latest updates. The issue arises when a non-server device token can retrieve share tokens intended for unrelated access via the shared_servers endpoint, indicating an access-control weakness in PMS’s token handling. Public references in the ...