CVE-2026-35034

CVE-2026-35034

Name

CVE-2026-35034

Description

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a denial of service vulnerability in the SyncPlay group creation endpoint (POST /SyncPlay/New), where an authenticated user can create groups with names of unlimited size due to insufficient input validation. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients attempting to join SyncPlay groups and significantly increase the memory usage of the Jellyfin process, potentially leading to an out-of-memory crash. This issue has been fixed in version 10.11.7.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
security-advisories@github.com	https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
security-advisories@github.com	https://github.com/jellyfin/jellyfin/security/advisories/GHSA-v2jv-54xj-h76w

Type

URI

security-advisories@github.com

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7

security-advisories@github.com

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-v2jv-54xj-h76w

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:jellyfin:jellyfin::::::::`	jellyfin	>= None	< 10.11.7

CPE URI

Source package

Min version

Max version

cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*

jellyfin

>= None

< 10.11.7

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
jellyfin	edge-community	10.11.6-r4	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.6-r3	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.6-r1	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.6-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.5-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.4-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.3-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.1-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.11.0-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.7-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.6-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.5-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.4-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	edge-community	10.10.3-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	3.23-community	10.11.6-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	3.23-community	10.11.5-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable
jellyfin	3.23-community	10.11.4-r0	Simon Zeni <simon@bl4ckb0ne.ca>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages