CVE-2026-35032— Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner

Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

N/A

服务端请求伪造(SSRF)

Jellyfin 代码问题漏洞

Jellyfin是Jellyfin开源的一个免费软件媒体系统。可让您控制媒体的管理和流式传输。它是专有Emby和Plex的替代产品，可以通过多个应用程序将专用服务器中的媒体提供给最终用户设备。 Jellyfin 10.11.7之前版本存在代码问题漏洞，该漏洞源于LiveTV M3U调谐器端点未验证调谐器URL，可能导致本地文件读取和服务端请求伪造。

N/A

N/A