CVE-2025-64325

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-64325
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64325.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-64325
Aliases
  • GHSA-2gwc-988r-2r7x
Published
2025-11-18T22:32:06.902Z
Modified
2026-03-14T12:52:18.783218Z
Severity
  • 8.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Emby Server is Vulnerable to Remote Code Execution Through XSS in Admin Dashboard
Details

Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has been patched in version 4.8.1.0 and Beta version 4.9.0.0-beta.

Database specific 
{
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64325.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mediabrowser/emby.releases

Affected ranges

Type
GIT
Repo
https://github.com/mediabrowser/emby.releases
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
0e8fe34a5b439c619588e6527010452c101c93c0
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.8.1.0"
        }
    ]
}

Affected versions

3.*
3.2.31
3.2.32.0
3.2.33.0
3.2.34.0
3.2.35.0
3.2.40.0
3.2.50.0
3.2.60.0
3.2.70.0
3.3.0.0
3.3.1.0
3.3.1.10
3.3.1.11
3.3.1.12
3.3.1.13
3.3.1.14
3.3.1.15
3.3.1.16
3.3.1.17
3.3.1.18
3.3.1.19
3.3.1.20
3.3.1.21
3.3.1.22
3.3.1.23
3.3.1.24
3.3.1.25
3.3.1.26
3.3.1.27
3.3.1.28
3.3.1.7
3.3.1.8
3.3.1.9
3.4.0.0
3.4.0.3
3.4.0.4
3.4.1.0
3.4.1.1
3.4.1.10
3.4.1.11
3.4.1.12
3.4.1.13
3.4.1.14
3.4.1.15
3.4.1.16
3.4.1.17
3.4.1.18
3.4.1.19
3.4.1.2
3.4.1.20
3.4.1.21
3.4.1.22
3.4.1.23
3.4.1.24
3.4.1.27
3.4.1.28
3.4.1.29
3.4.1.30
3.4.1.31
3.4.1.32
3.4.1.33
3.4.1.34
3.4.1.35
3.4.1.5
3.4.1.6
3.4.1.7
3.4.1.8
3.4.1.9
3.5.0.0
3.5.1.0
3.5.2.0
3.5.3.0
3.6.0.1
3.6.0.2
3.6.0.31
3.6.0.32
3.6.0.33
3.6.0.34
3.6.0.38
3.6.0.39
3.6.0.40
3.6.0.41
3.6.0.42
3.6.0.43
3.6.0.44
3.6.0.45
3.6.0.46
3.6.0.47
3.6.0.49
3.6.0.50
3.6.0.51
3.6.0.52
3.6.0.53
3.6.0.54
3.6.0.55
3.6.0.56
3.6.0.57
3.6.0.58
3.6.0.59
3.6.0.60
3.6.0.61
3.6.0.63
3.6.0.64
3.6.0.65
3.6.0.66
3.6.0.67
3.6.0.68
3.6.0.69
3.6.0.70
3.6.0.71
3.6.0.72
3.6.0.73
3.6.0.74
3.6.0.75
3.6.0.76
3.6.0.77
3.6.0.78
3.6.0.79
3.6.0.80
3.6.0.81
3.6.0.82
3.6.0.83
3.6.0.84
4.*
4.0.0.0
4.0.0.1
4.0.0.2
4.0.1.0
4.0.2.0
4.0.3.0
4.1.0.0
4.1.0.1
4.1.0.10
4.1.0.11
4.1.0.12
4.1.0.13
4.1.0.14
4.1.0.15
4.1.0.16
4.1.0.17
4.1.0.18
4.1.0.19
4.1.0.2
4.1.0.20
4.1.0.21
4.1.0.22
4.1.0.23
4.1.0.24
4.1.0.25
4.1.0.26
4.1.0.3
4.1.0.4
4.1.0.5
4.1.0.6
4.1.0.7
4.1.0.8
4.1.0.9
4.1.1.0
4.2.0.0
4.2.0.1
4.2.0.10
4.2.0.11
4.2.0.12
4.2.0.13
4.2.0.14
4.2.0.15
4.2.0.16
4.2.0.17
4.2.0.18
4.2.0.19
4.2.0.20
4.2.0.21
4.2.0.22
4.2.0.23
4.2.0.24
4.2.0.25
4.2.0.26
4.2.0.27
4.2.0.28
4.2.0.29
4.2.0.30
4.2.0.31
4.2.0.32
4.2.0.33
4.2.0.34
4.2.0.35
4.2.0.36
4.2.0.4
4.2.0.40
4.2.0.5
4.2.0.6
4.2.0.7
4.2.0.8
4.2.0.9
4.2.1.0
4.3.0.0
4.3.0.1
4.3.0.10
4.3.0.11
4.3.0.12
4.3.0.13
4.3.0.14
4.3.0.15
4.3.0.16
4.3.0.17
4.3.0.18
4.3.0.19
4.3.0.2
4.3.0.20
4.3.0.21
4.3.0.22
4.3.0.23
4.3.0.24
4.3.0.25
4.3.0.26
4.3.0.3
4.3.0.30
4.3.0.4
4.3.0.5
4.3.0.6
4.3.0.7
4.3.0.8
4.3.0.9
4.3.1.0
4.4.0.0
4.4.0.1
4.4.0.10
4.4.0.11
4.4.0.12
4.4.0.13
4.4.0.14
4.4.0.15
4.4.0.16
4.4.0.17
4.4.0.18
4.4.0.19
4.4.0.2
4.4.0.20
4.4.0.21
4.4.0.22
4.4.0.23
4.4.0.24
4.4.0.25
4.4.0.26
4.4.0.27
4.4.0.28
4.4.0.29
4.4.0.3
4.4.0.30
4.4.0.4
4.4.0.40
4.4.0.5
4.4.0.6
4.4.0.7
4.4.0.9
4.4.1.0
4.4.2.0
4.4.3.0
4.5.0.1
4.5.0.10
4.5.0.11
4.5.0.12
4.5.0.13
4.5.0.14
4.5.0.15
4.5.0.16
4.5.0.17
4.5.0.18
4.5.0.19
4.5.0.2
4.5.0.20
4.5.0.21
4.5.0.22
4.5.0.23
4.5.0.24
4.5.0.25
4.5.0.26
4.5.0.27
4.5.0.28
4.5.0.29
4.5.0.3
4.5.0.30
4.5.0.4
4.5.0.5
4.5.0.50
4.5.0.6
4.5.0.7
4.5.0.8
4.5.0.9
4.5.1.0
4.5.2.0
4.5.3.0
4.5.4.0
4.6.0.1
4.6.0.10
4.6.0.2
4.6.0.20
4.6.0.21
4.6.0.22
4.6.0.26
4.6.0.28
4.6.0.29
4.6.0.3
4.6.0.30
4.6.0.31
4.6.0.32
4.6.0.33
4.6.0.34
4.6.0.35
4.6.0.36
4.6.0.37
4.6.0.38
4.6.0.39
4.6.0.4
4.6.0.40
4.6.0.41
4.6.0.42
4.6.0.43
4.6.0.44
4.6.0.45
4.6.0.46
4.6.0.47
4.6.0.48
4.6.0.5
4.6.0.50
4.6.0.51
4.6.0.52
4.6.0.6
4.6.0.7
4.6.0.8
4.6.0.9
4.6.1.0
4.6.2.0
4.6.3.0
4.6.4.0
4.6.5.0
4.6.6.0
4.6.7.0
4.7.0.0
4.7.0.1
4.7.0.10
4.7.0.11
4.7.0.12
4.7.0.13
4.7.0.14
4.7.0.17
4.7.0.18
4.7.0.19
4.7.0.2
4.7.0.20
4.7.0.21
4.7.0.22
4.7.0.23
4.7.0.24
4.7.0.25
4.7.0.26
4.7.0.27
4.7.0.28
4.7.0.29
4.7.0.3
4.7.0.30
4.7.0.31
4.7.0.32
4.7.0.33
4.7.0.34
4.7.0.35
4.7.0.36
4.7.0.37
4.7.0.38
4.7.0.39
4.7.0.4
4.7.0.40
4.7.0.5
4.7.0.60
4.7.0.7
4.7.0.8
4.7.0.9
4.7.1.0
4.7.10.0
4.7.11.0
4.7.12.0
4.7.13.0
4.7.14.0
4.7.2.0
4.7.3.0
4.7.4.0
4.7.5.0
4.7.6.0
4.7.7.0
4.7.8.0
4.7.9.0
4.8.0.0
4.8.0.1
4.8.0.10
4.8.0.11
4.8.0.12
4.8.0.13
4.8.0.14
4.8.0.15
4.8.0.16
4.8.0.17
4.8.0.18
4.8.0.19
4.8.0.2
4.8.0.20
4.8.0.21
4.8.0.24
4.8.0.25
4.8.0.26
4.8.0.27
4.8.0.28
4.8.0.29
4.8.0.3
4.8.0.30
4.8.0.31
4.8.0.31-beta
4.8.0.32
4.8.0.33
4.8.0.34
4.8.0.35
4.8.0.36
4.8.0.37
4.8.0.38
4.8.0.39
4.8.0.4
4.8.0.40
4.8.0.41
4.8.0.41-beta
4.8.0.42
4.8.0.43
4.8.0.44
4.8.0.45
4.8.0.46
4.8.0.47
4.8.0.48
4.8.0.49
4.8.0.5
4.8.0.50
4.8.0.51
4.8.0.52
4.8.0.53
4.8.0.54
4.8.0.55
4.8.0.56
4.8.0.57
4.8.0.58
4.8.0.59
4.8.0.6
4.8.0.60
4.8.0.61
4.8.0.62
4.8.0.63
4.8.0.64
4.8.0.65
4.8.0.66
4.8.0.67
4.8.0.68
4.8.0.69
4.8.0.7
4.8.0.70
4.8.0.71
4.8.0.72
4.8.0.73
4.8.0.74
4.8.0.75
4.8.0.76
4.8.0.77
4.8.0.78
4.8.0.8
4.8.0.80
4.8.0.9
4.9.0.0
4.9.0.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64325.json"