Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
jellyfin jellyfin vulnerabilities and exploits
(subscribe to this query)
7.2
CVSSv3
CVE-2023-48702
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC p...
Jellyfin Jellyfin
8.8
CVSSv3
CVE-2023-49096
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in the VideosController, specifically the `/Videos/<itemId>/stream` and `/Videos/<itemId>/stream.<container>` endpoints which are prese...
Jellyfin Jellyfin
8.1
CVSSv3
CVE-2023-30626
Jellyfin is a free-software media system. Versions starting with 10.8.0 and before 10.8.10 and prior have a directory traversal vulnerability inside the `ClientLogController`, specifically `/ClientLog/Document`. When combined with a cross-site scripting vulnerability (CVE-2023-30...
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2023-30627
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10, a stored cross-site scripting vulnerability in device.js can be used to make arbitrary calls to the `REST` endpoints with admin privileges. When com...
Jellyfin Jellyfin
7.5
CVSSv3
CVE-2023-27161
Jellyfin up to v10.7.7 exists to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulnerability allows malicious users to access network resources and sensitive information via a crafted POST request.
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2023-23635
In Jellyfin 10.8.x up to and including 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an malicious user to steal access tokens from the localStorage of the victim.
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2023-23636
In Jellyfin 10.8.x up to and including 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an malicious user to steal access tokens from the localStorage of the victim.
Jellyfin Jellyfin
8.8
CVSSv3
CVE-2022-35909
In Jellyfin prior to 10.8, the /users endpoint has incorrect access control for admin functionality.
Jellyfin Jellyfin
5.4
CVSSv3
CVE-2022-35910
In Jellyfin prior to 10.8, stored XSS allows theft of an admin access token.
Jellyfin Jellyfin
5.8
CVSSv3
CVE-2021-29490
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verions before 10.7.3 vulnerable to unauthenticated Server-Side Request Forgery (SSRF) attacks via the imageUrl parameter. This issue potentially exposes bo...
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2020-4463
CVE-2024-3400
deserialization
CVE-2024-21788
CVE-2023-42433
CVE-2024-21841
CVE-2024-22095
local file inclusion
memory leak
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
1
2
NEXT »