anonhaven
Ad

CVE-2026-35032

HIGH CVSS 4.0: 8.6
Updated Apr 17, 2026
Jellyfin
Parameter Value
CVSS 8.6 (HIGH)
Affected Versions before 10.11.7
Fixed In 10.11.7
Type CWE-918 (Server-Side Request Forgery (SSRF)), CWE-73 (External Control of File Name or Path)
Vendor Jellyfin
Public PoC No

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users.

An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-918 Server-Side Request Forgery (SSRF)
CWE-73 External Control of File Name or Path

References 2

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
security-advisories@github.com
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-35034

Jellyfin

6.5

CVE-2026-35033

Jellyfin

9.3

CVE-2026-35031

Jellyfin

9.9