CVE-2026-35032

EUVD-2026-22766

14.04.2026, 23:16

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	8.6 HIGH	NETWORK	LOW	LOW	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
jellyfin	jellyfin	𝑥 < 10.11.7	CNA

Common Weakness Enumeration

CWE-73 - External Control of File Name or Path
The software allows user input to control or influence paths or file names that are used in filesystem operations.

References

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8