HIGH🇵🇱 Wersja polska

CVE-2026-35032

CVSS 8.6v4.0pub. 2026-04-14upd. 2026-04-23

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Jellyfin

    APP
    Jellyfin
    < 10.11.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-35033CRITICAL9.3PL ✓ten sam produkt

Jellyfin: odczyt dowolnych plików przez command injection w ffmpeg

CVE-2026-35031CRITICAL9.9PL ✓ten sam produkt

Jellyfin: RCE jako root przez path traversal w endpoincie przesyłania napisów

CVE-2026-31852CRITICAL10.0PL ✓ten sam produkt

Krytyczna podatność RCE w workflow GitHub Actions Jellyfin iOS

CVE-2023-30627CRITICAL9.0ten sam produkt

jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prio...

CVE-2025-31499HIGH7.6ten sam produkt

Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument inject...