SB2026041528 - Multiple vulnerabilities in Jellyfin

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026041528

SB2026041528 - Multiple vulnerabilities in Jellyfin

Published: April 15, 2026 Updated: April 17, 2026

Security Bulletin ID SB2026041528
Severity
Medium
Patch available
YES
Number of vulnerabilities 4
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 4 secuirty vulnerabilities.


1) Improper Neutralization of Argument Delimiters in a Command (CVE-ID: CVE-2026-35033)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of argument delimiters in a command in the ParseStreamOptions method in StreamingHelpers.cs and the /Videos/{itemId}/stream endpoint when processing StreamOptions query parameters. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue can be exploited without authentication, and injected ffmpeg arguments can cause server file contents to be rendered into the video stream response.


2) Resource exhaustion (CVE-ID: CVE-2026-35034)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the SyncPlay API endpoint when creating SyncPlay groups with excessively large group names. A remote user can send a specially crafted request to cause a denial of service.

The issue can lock out the endpoint for clients attempting to join SyncPlay groups and may significantly increase memory usage, possibly leading to an out-of-memory crash.


3) Improper input validation (CVE-ID: CVE-2026-35032)

The vulnerability allows a remote user to read arbitrary files and perform server-side request forgery.

The vulnerability exists due to improper input validation in the LiveTV M3U tuner endpoint when processing user-supplied tuner URLs. A remote user can submit a specially crafted tuner URL to read arbitrary files and perform server-side request forgery.

The issue is exploitable by authenticated users because Live TV management permissions are enabled by default for new users.


4) Path traversal (CVE-ID: CVE-2026-35031)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to path traversal in the subtitle upload endpoint when processing the Format field in subtitle upload requests. A remote user can upload a specially crafted subtitle to write arbitrary files and chain the issue to execute arbitrary code.

Exploitation requires the Upload Subtitles permission.


Remediation

Install update from vendor's website.

References