📦 Jellyfin

A stored cross-site scripting (XSS) vulnerability in jellyfin-web allows attackers to make arbitrary REST API calls with admin privileges. When combined with CVE-2023-30626, this can lead to remote co...

This vulnerability allows argument injection in Jellyfin's FFmpeg processing, which can lead to arbitrary file write and potentially remote code execution. Attackers with low-privileged user credentia...

This vulnerability allows a malicious administrator in Jellyfin to execute arbitrary code on the server by exploiting a path traversal issue in the media encoder configuration endpoint. Attackers can ...

Jellyfin media server has an argument injection vulnerability in video/audio streaming endpoints that allows unauthenticated attackers to inject malicious arguments into FFmpeg commands. This could le...

Jellyfin's user profile image upload accepts SVG files that can contain malicious JavaScript. When an admin user views such an image outside the Jellyfin Web UI (e.g., via browser 'view image'), the s...