VYPR
High severityNVD Advisory· Published Apr 24, 2023· Updated Feb 12, 2025

Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution

CVE-2023-30626

Description

Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the ClientLogController, specifically /ClientLog/Document. When combined with a cross-site scripting vulnerability (CVE-2023-30627), this can result in file write and arbitrary code execution. Version 10.8.10 has a patch for this issue. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Jellyfin.ControllerNuGet
>= 10.8.0, < 10.8.1010.8.10

Affected products

2

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.