threat
engine
.sh
Back
·
··:··
Home
/
Product
/
jellyfin
Product
jellyfin
19 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-35034
< 10.11.7
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the Sy
6.5
MEDIUM
CVE-2026-35033
< 10.11.7
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vuln
9.1
CRITICAL
CVE-2026-35032
< 10.11.7
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tun
8.1
HIGH
CVE-2026-35031
< 10.11.7
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle uploa
9.9
CRITICAL
CVE-2026-31852
all versions
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to ar
10.0
CRITICAL
CVE-2025-31499
< 10.10.7
Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This
8.8
HIGH
CVE-2025-32012
>= 10.9.0 and < 10.10.7
Jellyfin is an open source self hosted media server. In versions 10.9.0 to before 10.10.7, the /System/Restart endpoint provides a
7.5
HIGH
CVE-2024-43801
>= 10.8.0 and <= 10.9.10
Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stor
4.6
MEDIUM
CVE-2023-48702
< 10.8.13
Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the
/System/MediaEncoder/Path
endpoint executes
7.2
HIGH
CVE-2023-49096
< 10.8.13
Jellyfin is a Free Software Media System for managing and streaming media. In affected versions there is an argument injection in
7.7
HIGH
CVE-2023-30627
>= 10.1.0 and < 10.8.10
jellyfin-web is the web client for Jellyfin, a free-software media system. Starting in version 10.1.0 and prior to version 10.8.10
9.0
CRITICAL
CVE-2023-30626
>= 10.8.0 and < 10.8.10
Jellyfin is a free-software media system. Versions starting with 10.8.0 and prior to 10.8.10 and prior have a directory traversal
8.8
HIGH
CVE-2023-27161
<= 10.7.7
Jellyfin up to v10.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the component /Repositories. This vulner
7.5
HIGH
CVE-2023-23636
>= 10.8.0 and <= 10.8.3
In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tok
5.4
MEDIUM
CVE-2023-23635
>= 10.8.0 and <= 10.8.3
In Jellyfin 10.8.x through 10.8.3, the name of a collection is vulnerable to stored XSS. This allows an attacker to steal access t
5.4
MEDIUM
CVE-2022-35910
< 10.8
In Jellyfin before 10.8, stored XSS allows theft of an admin access token.
5.4
MEDIUM
CVE-2022-35909
< 10.8
In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality.
8.8
HIGH
CVE-2021-29490
< 10.7.3
Jellyfin is a free software media system that provides media from a dedicated server to end-user devices via multiple apps. Verion
5.8
MEDIUM
CVE-2021-21402
< 10.7.1
Jellyfin is a Free Software Media System. In Jellyfin before version 10.7.1, with certain endpoints, well crafted requests will al
7.7
HIGH
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin