CVE-2026-35031

CVE-2026-35031

Name

CVE-2026-35031

Description

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
security-advisories@github.com	https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3

Type

URI

security-advisories@github.com

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7

security-advisories@github.com

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:jellyfin:jellyfin::::::::`	jellyfin	>= None	< 10.11.7

CPE URI

Source package

Min version

Max version

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

jellyfin

>= None

< 10.11.7

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
jellyfin	edge-community	10.11.6-r4	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.6-r3	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.6-r1	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.6-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.5-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.4-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.3-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.1-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.0-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.7-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.6-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.5-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.4-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.3-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	3.23-community	10.11.6-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	3.23-community	10.11.5-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	3.23-community	10.11.4-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages