VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 3, 2023· Updated Mar 26, 2025

CVE-2023-23635

CVE-2023-23635

Description

In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jellyfin-webnpm
>= 10.8.0, < 10.8.410.8.4

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing HTML escaping of user-controlled collection name when constructing aria-label attributes in card builder."

Attack vector

An attacker with the ability to create or rename a collection (a standard user action in Jellyfin) sets the collection name to a malicious JavaScript payload, e.g. `">

Affected code

The vulnerability is in `src/components/cardbuilder/cardBuilder.js` in the Jellyfin web frontend. Two locations construct an `aria-label` attribute by directly interpolating `item.Name` into an HTML string without sanitization (lines 1350 and 1433 before the patch). The `item.Name` value originates from a user-controllable collection name stored on the server.

What the fix does

The patch wraps `item.Name` with the `escapeHtml()` function in both locations where the name is interpolated into an `aria-label` attribute string. `escapeHtml()` converts HTML-special characters like `

Preconditions

  • authThe attacker must have the ability to create or edit a collection (standard user permission in Jellyfin).
  • inputA victim user must browse to a page that renders the malicious collection as a card (e.g. the collections view).

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.