CVE-2026-35031

9.9 CRITICAL
Published: April 14, 2026 Modified: April 23, 2026
View on NVD

Description

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
Source: security-advisories@github.com
Product Release Notes
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3
Source: security-advisories@github.com
Mitigation Vendor Advisory

2 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.9 / 10.0
EPSS (Exploit Probability)
0.4%
61th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-22 CWE-187

Affected Vendors

jellyfin

Related CVEs

CVE-2026-6222 5.3
CVE-2026-40003 5.1
CVE-2026-44597 3.7
CVE-2026-6278 N/A
CVE-2026-41484 5.3