8.8
CVE-2026-49247
- EPSS 0.34%
- Veröffentlicht 24.06.2026 18:18:46
- Zuletzt bearbeitet 26.06.2026 05:16:28
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Jellyfin: Potential Authenticated path traversal in /ClientLog/Document
Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerjellyfin
≫
Produkt
jellyfin
Version
>= 10.9.0, < 10.11.10
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.263 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jg92-mrxq-vv75