anonhaven
Ad

CVE-2026-35031

CRITICAL CVSS 3.1: 9.9
Updated Apr 17, 2026
Jellyfin
Parameter Value
CVSS 9.9 (CRITICAL)
Affected Versions before 10.11.7
Fixed In 10.11.7
Type CWE-20 (Improper Input Validation), CWE-22 (Path Traversal), CWE-187
Vendor Jellyfin
Public PoC No

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload.

Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
High
Complete denial of service

CVSS Vector v3.1

Weakness Type (CWE)

CWE-20 Improper Input Validation
CWE-22 Path Traversal
CWE-187

References 2

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
security-advisories@github.com
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35034

Jellyfin

6.5

CVE-2026-35033

Jellyfin

9.3

CVE-2026-35032

Jellyfin

8.6