Vendor CVEs
Jellyfin
All CVEs
23 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-35031 | Cri | 0.57 | 9.9 | 0.01 | Apr 14, 2026 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling… | ||
| CVE-2026-35033 | Cri | 0.52 | 9.1 | 0.00 | Apr 14, 2026 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in… | ||
| CVE-2026-35032 | Hig | 0.46 | 8.1 | 0.00 | Apr 14, 2026 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request… | ||
| CVE-2026-35034 | Med | 0.35 | 6.5 | 0.00 | Apr 14, 2026 | Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient… | ||
| CVE-2021-29490 | 0.07 | — | 0.70 | May 5, 2021 | Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes… | |||
| CVE-2021-21402 | 0.06 | — | 0.80 | Mar 23, 2021 | Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are… | |||
| CVE-2026-49220 | 0.00 | — | 0.00 | Jun 24, 2026 | Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The… | |||
| CVE-2026-48793 | 0.00 | — | 0.00 | Jun 24, 2026 | Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file… | |||
| CVE-2026-49246 | 0.00 | — | 0.00 | Jun 24, 2026 | Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file name tag on MKV attachments as trusted and… | |||
| CVE-2026-49247 | 0.00 | — | 0.00 | Jun 24, 2026 | Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log… | |||
| CVE-2026-31852 | 0.00 | — | 0.00 | Mar 11, 2026 | Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this… | |||
| CVE-2025-31499 | 0.00 | — | 0.01 | Apr 15, 2025 | Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously… | |||
| CVE-2025-32012 | 0.00 | — | 0.01 | Apr 15, 2025 | Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any… | |||
| CVE-2024-43801 | 0.00 | — | 0.00 | Sep 2, 2024 | Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via… | |||
| CVE-2023-48702 | 0.00 | — | 0.01 | Dec 13, 2023 | Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC… | |||
| CVE-2023-49096 | 0.00 | — | 0.01 | Dec 6, 2023 | Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos//stream` and `/Videos//stream.` endpoints which are present in the current… | |||
| CVE-2023-30627 | 0.00 | — | 0.01 | Apr 24, 2023 | jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When… | |||
| CVE-2023-30626 | 0.00 | — | 0.02 | Apr 24, 2023 | Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability… | |||
| CVE-2023-27161 | 0.00 | — | 0.01 | Mar 10, 2023 | Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request. | |||
| CVE-2023-23635 | 0.00 | — | 0.01 | Feb 3, 2023 | In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim. | |||
| CVE-2023-23636 | 0.00 | — | 0.01 | Feb 3, 2023 | In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim. | |||
| CVE-2022-35909 | 0.00 | — | 0.01 | Aug 19, 2022 | In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. | |||
| CVE-2022-35910 | 0.00 | — | 0.01 | Aug 19, 2022 | In Jellyfin before 10.8, stored XSS allows theft of an admin access token. |
- risk 0.57cvss 9.9epss 0.01
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling…
- risk 0.52cvss 9.1epss 0.00
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in…
- risk 0.46cvss 8.1epss 0.00
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request…
- risk 0.35cvss 6.5epss 0.00
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient…
- CVE-2021-29490May 5, 2021risk 0.07cvss —epss 0.70
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions prior to 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes…
- CVE-2021-21402Mar 23, 2021risk 0.06cvss —epss 0.80
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will allow arbitrary file read from a Jellyfin server's file system. This issue is more prevalent when Windows is used as the host OS. Servers that are…
- CVE-2026-49220Jun 24, 2026risk 0.00cvss —epss 0.00
Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The…
- CVE-2026-48793Jun 24, 2026risk 0.00cvss —epss 0.00
Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file…
- CVE-2026-49246Jun 24, 2026risk 0.00cvss —epss 0.00
Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file name tag on MKV attachments as trusted and…
- CVE-2026-49247Jun 24, 2026risk 0.00cvss —epss 0.00
Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log…
- CVE-2026-31852Mar 11, 2026risk 0.00cvss —epss 0.00
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this…
- CVE-2025-31499Apr 15, 2025risk 0.00cvss —epss 0.01
Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously…
- CVE-2025-32012Apr 15, 2025risk 0.00cvss —epss 0.01
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides administrators the ability to restart their Jellyfin server. This endpoint is intended to be admins-only, but it also authorizes requests from any…
- CVE-2024-43801Sep 2, 2024risk 0.00cvss —epss 0.00
Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via…
- CVE-2023-48702Dec 13, 2023risk 0.00cvss —epss 0.01
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC…
- CVE-2023-49096Dec 6, 2023risk 0.00cvss —epss 0.01
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos//stream` and `/Videos//stream.` endpoints which are present in the current…
- CVE-2023-30627Apr 24, 2023risk 0.00cvss —epss 0.01
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When…
- CVE-2023-30626Apr 24, 2023risk 0.00cvss —epss 0.02
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability…
- CVE-2023-27161Mar 10, 2023risk 0.00cvss —epss 0.01
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows attackers to access network resources and sensitive information via a crafted POST request.
- CVE-2023-23635Feb 3, 2023risk 0.00cvss —epss 0.01
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
- CVE-2023-23636Feb 3, 2023risk 0.00cvss —epss 0.01
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
- CVE-2022-35909Aug 19, 2022risk 0.00cvss —epss 0.01
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
- CVE-2022-35910Aug 19, 2022risk 0.00cvss —epss 0.01
In Jellyfin before 10.8, stored XSS allows theft of an admin access token.