threat
engine
.sh
Back
·
··:··
Home
/
Product
/
plex media server
Product
plex media server
40 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-69417
<= 1.43.0.10389
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intend
5.0
MEDIUM
CVE-2025-69416
<= 1.43.0.10389
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intend
5.0
MEDIUM
CVE-2025-69415
<= 1.42.2.10156
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned wit
7.1
HIGH
CVE-2025-69414
<= 1.42.2.10156
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transi
8.5
HIGH
CVE-2025-49198
all versions
The Media Server’s authorization tokens have a poor quality of randomness. An attacker may be able to guess the token of an acti
3.1
LOW
CVE-2025-49197
< 1.5
The application uses a weak password hash function, allowing an attacker to crack the weak password hash to gain access to an FTP
6.5
MEDIUM
CVE-2025-49195
all versions
The FTP server’s login mechanism does not restrict authentication attempts, allowing an attacker to brute-force user passwords a
5.3
MEDIUM
CVE-2025-49194
all versions
The server supports authentication methods in which credentials are sent in plaintext over unencrypted channels. If an attacker we
7.5
HIGH
CVE-2025-49193
< 1.5
The application fails to implement several security headers. These headers help increase the overall security level of the web app
4.2
MEDIUM
CVE-2025-49192
< 1.5
The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to tr
4.3
MEDIUM
CVE-2025-49189
< 1.5
The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side
5.3
MEDIUM
CVE-2025-49186
all versions
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, m
5.3
MEDIUM
CVE-2025-49183
all versions
All communication with the REST API is unencrypted (HTTP), allowing an attacker to intercept traffic between an actor and the webs
7.5
HIGH
CVE-2025-49182
< 1.5
Files in the source code contain login credentials for the admin user and the property configuration password, allowing an attacke
7.5
HIGH
CVE-2025-49181
all versions
Due to missing authorization of an API endpoint, unauthorized users can send HTTP GET requests to gather sensitive information. An
8.6
HIGH
CVE-2024-4464
< 1.4-2680
Authorization bypass through user-controlled key vulnerability in streaming service in Synology Media Server before 1.4-2680, 2.0.
7.5
HIGH
CVE-2024-24262
all versions
media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_uac_stop_timer function at /uac/sip
7.5
HIGH
CVE-2024-24260
all versions
media-server v1.0.0 was discovered to contain a Use-After-Free (UAF) vulnerability via the sip_subscribe_remove function at /uac/s
7.5
HIGH
CVE-2021-33959
<= 1.21
Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.
7.5
HIGH
CVE-2022-27614
< 1.8.1-2876
Exposure of sensitive information to an unauthorized actor vulnerability in web server in Synology Media Server before 1.8.1-2876
5.3
MEDIUM
CVE-2022-22683
< 1.8.1-2876
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in cgi component in Synology Media Server bef
10.0
CRITICAL
CVE-2021-42835
< 1.25.0.5282
An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-p
7.0
HIGH
CVE-2021-34808
< 1.8.3-2881
Server-Side Request Forgery (SSRF) vulnerability in cgi component in Synology Media Server before 1.8.3-2881 allows remote attacke
5.8
MEDIUM
CVE-2021-33180
< 1.8.1-2876
Improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability in cgi component in Synology Me
7.3
HIGH
CVE-2020-5742
< 2020-06-15
Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests
8.8
HIGH
CVE-2020-5741
< 1.19.3
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Pyt
7.2
HIGH
CVE-2020-5740
< 1.19.1.2701
Improper Input Validation in Plex Media Server on Windows allows a local, unauthenticated attacker to execute arbitrary Python cod
7.8
HIGH
CVE-2019-19141
<= 1.18.2.2029
The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere
8.8
HIGH
CVE-2018-21031
all versions
Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Pl
6.5
MEDIUM
CVE-2018-13415
all versions
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Proce
9.8
CRITICAL
CVE-2018-8914
>= 1.4 and < 1.4-2654
SQL injection vulnerability in UPnP DMA in Synology Media Server before 1.7.6-2842 and before 1.4-2654 allows remote attackers to
7.3
HIGH
CVE-2017-16568
all versions
Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Radio" functionality. This vuln
5.4
MEDIUM
CVE-2017-16567
all versions
Persistent Cross-Site Scripting (XSS) vulnerability in Logitech Media Server 7.9.0, affecting the "Favorites" feature. This vulner
5.4
MEDIUM
CVE-2017-15687
all versions
DOM Based Cross Site Scripting (XSS) exists in Logitech Media Server 7.7.1, 7.7.2, 7.7.3, 7.7.5, 7.7.6, 7.9.0, and 7.9.1 via a cra
6.1
MEDIUM
CVE-2017-6427
all versions
A Buffer Overflow was discovered in EvoStream Media Server 1.7.1. A crafted HTTP request with a malicious header will cause a cras
7.5
HIGH
CVE-2014-9304
<= 0.9.9.2
Plex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arb
CVE-2014-9181
<= 0.9.9.2
Multiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files vi
CVE-2007-5825
all versions
Format string vulnerability in the ws_addarg function in webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows
CVE-2007-5824
<= 0.2.4
webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to cause a denial of service (NULL deref
CVE-2007-2374
all versions
Unspecified vulnerability in Microsoft Windows 2000, XP, and Server 2003 allows user-assisted remote attackers to execute arbitrar
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin