CVE-2026-35034— Jellyfin: Potential Application DoS from excessively large SyncPlay group names
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35034
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Jellyfin: Potential Application DoS from excessively large SyncPlay group names
Source: NVD (National Vulnerability Database)
Vulnerability Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Jellyfin 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Jellyfin是Jellyfin开源的一个免费软件媒体系统。可让您控制媒体的管理和流式传输。它是专有Emby和Plex的替代产品,可以通过多个应用程序将专用服务器中的媒体提供给最终用户设备。 Jellyfin 10.11.7之前版本存在资源管理错误漏洞,该漏洞源于SyncPlay组创建端点输入验证不足,可能导致拒绝服务。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-35034
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35034
请登录查看更多情报信息。
Same Patch Batch · jellyfin · 2026-04-14 · 4 CVEs total
| CVE-2026-35031 | 10.0 CRITICAL | Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain |
| CVE-2026-35032 | Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner | |
| CVE-2026-35033 | Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection |
IV. Related Vulnerabilities
Same product: jellyfin
- CVE-2026-35033
Jellyfin: Potential SSRF + Arbitrary file read via stream ar - CVE-2026-35032
Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3 - CVE-2026-35031
Jellyfin: Potential RCE via subtitle upload path traversal + - CVE-2025-31499
Jellyfin Vulnerable to Argument Injection in FFmpeg - CVE-2025-32012
Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofi
Same vendor: jellyfin
- CVE-2026-35033
Jellyfin: Potential SSRF + Arbitrary file read via stream ar - CVE-2026-35032
Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3 - CVE-2026-35031
Jellyfin: Potential RCE via subtitle upload path traversal + - CVE-2026-31852
Jellyfin Possible Organization/Secret Compromise from danger - CVE-2025-31499
Jellyfin Vulnerable to Argument Injection in FFmpeg
Same weakness: CWE-400
- CVE-2026-8187
Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption - CVE-2026-42343
FastGPT: Uncontrolled Resource Consumption leading to Sandbo - CVE-2026-42212
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-lau - CVE-2026-32686
Unbounded exponent in decimal enables unauthenticated DoS - CVE-2026-20188
Cisco Crosswork Network Controller and Cisco Network Service
V. Comments for CVE-2026-35034
No comments yet