Back to overview

CVE-2026-35031

CRITICAL
10.0
CVSS 3.1
Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

Metadata

CVE ID
CVE-2026-35031
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-03-31 21:06 UTC
Published
2026-04-14 22:18 UTC
Last updated
2026-04-16 13:56 UTC
Primary CWE
CWE-20
CWE-20: Improper Input Validation
Vendor / Product
jellyfin / jellyfin
Sources
cve.org  ·  NVD

Severity & Metrics

10.0 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
jellyfin jellyfin < 10.11.7
Weakness (CWE)
CWESourceDescription
CWE-187 cna CWE-187: Partial String Comparison
CWE-20 cna CWE-20: Improper Input Validation
CWE-22 cna CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS scores (1)
ScoreSeverityVersionSourceVector
10.0 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References (2)
Back to overview