VYPR
← All advisories
Moderate severityNVD Advisory· Published Feb 3, 2023· Updated Mar 26, 2025

CVE-2023-23636

CVE-2023-23636

Description

In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jellyfin-webnpm
>= 10.8.0, < 10.8.410.8.4

Affected products

2

Patches

Vulnerability mechanics

Root cause

"Missing HTML escaping of item.Name when constructing aria-label attributes in card builder templates."

Attack vector

An attacker with the ability to create or rename a playlist can set the playlist name to a malicious JavaScript payload, such as `

Affected code

The vulnerability exists in `src/components/cardbuilder/cardBuilder.js` [patch_id=1641102]. Two locations construct an `aria-label` attribute by directly interpolating `item.Name` into an HTML string without sanitization. The first is around line 1347 for card image containers, and the second is around line 1430 for button elements.

What the fix does

The patch wraps `item.Name` with `escapeHtml()` before inserting it into the `aria-label` attribute string [patch_id=1641102]. This HTML-encodes characters like `

Preconditions

  • authThe attacker must have the ability to create or rename a playlist (or any item whose Name is rendered in a card).
  • networkA victim must browse to a page that renders the crafted playlist name as a card (e.g., the library or playlist view).

Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.