प्लेटफ़ॉर्म
linux
घटक
jellyfin
में ठीक किया गया
10.11.8
CVE-2026-35031 is a critical Remote Code Execution (RCE) vulnerability discovered in Jellyfin Media Server. This flaw allows attackers to leverage a path traversal vulnerability within the subtitle upload functionality to gain control of the server. The vulnerability impacts versions 10.11.0 through 10.11.6, and a patch is available in version 10.11.7.
The vulnerability lies in the handling of the 'Format' field during subtitle uploads via the POST /Videos/{itemId}/Subtitles endpoint. Lack of proper validation allows attackers to manipulate the file extension, enabling path traversal. This can be exploited to write arbitrary files to the server's filesystem. A successful exploit can lead to several severe consequences, including the extraction of sensitive database information, escalation to administrator privileges, and ultimately, the execution of arbitrary code as the root user. This represents a significant security risk, potentially allowing an attacker to completely compromise the affected Jellyfin server and any data it hosts. The ability to execute code as root significantly expands the attack surface and potential impact.
CVE-2026-35031 was publicly disclosed on 2026-04-14. While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and the potential for root-level code execution suggest a high likelihood of exploitation. The vulnerability chain resembles techniques used in other path traversal exploits, increasing the risk of automated scanning and exploitation. It is not currently listed on CISA KEV, but its severity warrants close monitoring.
Organizations and individuals running self-hosted Jellyfin Media Server instances, particularly those with administrator accounts accessible over the internet, are at significant risk. Shared hosting environments where multiple users share a Jellyfin instance are also vulnerable, as a compromised user account could be leveraged to exploit this vulnerability.
• linux / server:
journalctl -u jellyfin | grep -i "subtitle upload"• linux / server:
lsof | grep jellyfin | grep /Videos• generic web:
curl -I http://<jellyfin_server>/Videos/<item_id>/Subtitles -H "Content-Type: multipart/form-data" -d "Format=../../../../../../etc/passwd"disclosure
एक्सप्लॉइट स्थिति
EPSS
0.28% (52% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-35031 is to immediately upgrade Jellyfin Media Server to version 10.11.7 or later. Prior to upgrading, it is crucial to back up your Jellyfin configuration and database. If an upgrade is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /Videos/{itemId}/Subtitles endpoint with suspicious file extensions or path traversal attempts. Monitor server logs for any unusual file write activity or attempts to upload files with manipulated extensions. Restrict access to the subtitle upload endpoint to trusted users only.
Actualice Jellyfin a la versión 10.11.7 o posterior para mitigar la vulnerabilidad. Si no puede actualizar inmediatamente, considere restringir los permisos de carga de subtítulos a usuarios que no sean administradores para reducir la superficie de ataque.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-35031 is a critical Remote Code Execution vulnerability in Jellyfin Media Server versions 10.11.0 through 10.11.6, allowing attackers to execute arbitrary code through a path traversal flaw in the subtitle upload endpoint.
If you are running Jellyfin Media Server versions 10.11.0 through 10.11.6, you are vulnerable to this RCE vulnerability. Upgrade to 10.11.7 or later to mitigate the risk.
The recommended fix is to upgrade Jellyfin Media Server to version 10.11.7 or later. Back up your configuration and database before upgrading.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's critical severity and potential for root-level code execution suggest a high likelihood of exploitation.
Please refer to the official Jellyfin security advisory on their website for the most up-to-date information and details regarding this vulnerability.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।