Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

jellyfin — Vulnerabilities & Security Advisories 14

Browse all 14 CVE security advisories affecting jellyfin. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Jellyfin serves as an open-source media server for organizing and streaming personal content across devices. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and access control issues. The project maintains a moderate CVE count of 14, with notable incidents including authentication bypass flaws in earlier versions and information disclosure through API endpoints. While the project addresses vulnerabilities through regular updates, users should implement network segmentation and access controls to mitigate risks, as the software's broad functionality surface area continues to present security challenges.

Top products by jellyfin: jellyfin jellyfin-web code-quality.yml
CVE IDTitleCVSSSeverityPublished
CVE-2026-35034 Jellyfin: Potential Application DoS from excessively large SyncPlay group names — jellyfinCWE-400 6.5 Medium2026-04-14
CVE-2026-35033 Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection — jellyfinCWE-88 7.5 -2026-04-14
CVE-2026-35032 Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner — jellyfinCWE-918 8.1 -2026-04-14
CVE-2026-35031 Jellyfin: Potential RCE via subtitle upload path traversal + .strm chain — jellyfinCWE-20 10.0 Critical2026-04-14
CVE-2026-31852 Jellyfin Possible Organization/Secret Compromise from dangerous CI implementation — code-quality.ymlCWE-269 10.0 Critical2026-03-11
CVE-2025-31499 Jellyfin Vulnerable to Argument Injection in FFmpeg — jellyfinCWE-88 8.8AIHighAI2025-04-15
CVE-2025-32012 Jellyfin Vulnerable to Denial of Service (DoS) via IP Spoofing — jellyfinCWE-290 6.5AIMediumAI2025-04-15
CVE-2024-43801 Privilege escalation to admin from a low-privileged user via SVG upload in Jellyfin — jellyfinCWE-200 4.6 Medium2024-09-02
CVE-2023-48702 Jellyfin Possible Remote Code Execution via custom FFmpeg binary — jellyfinCWE-77 7.2 High2023-12-13
CVE-2023-49096 Argument Injection in FFmpeg codec parameters in Jellyfin — jellyfinCWE-88 7.7 High2023-12-06
CVE-2023-30627 jellyfin-web has a stored cross-site scripting vulnerability in devices.js — jellyfin-webCWE-79 9.1 Critical2023-04-24
CVE-2023-30626 Jellyfin vulnerable to directory traversal and file write causing arbitrary code execution — jellyfinCWE-22 8.8 High2023-04-24
CVE-2021-29490 Unauthenticated GET requests through Remote Image endpoints — jellyfinCWE-918 5.8 Medium2021-05-05
CVE-2021-21402 Unauthenticated Arbitrary File Access in Jellyfin — jellyfinCWE-22 7.7 High2021-03-23

This page lists every published CVE security advisory associated with jellyfin. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.