CVE-2026-35032

Source
https://cve.org/CVERecord?id=CVE-2026-35032
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35032.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35032
Aliases
  • GHSA-8fw7-f233-ffr8
Published
2026-04-14T22:25:35.729Z
Modified
2026-07-08T08:12:58.284320710Z
Severity
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner
Details

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-73",
        "CWE-918"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35032.json"
}
References

Affected packages

Git / github.com/jellyfin/jellyfin

Affected ranges

Type
GIT
Repo
https://github.com/jellyfin/jellyfin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.11.7"
        }
    ],
    "cpe": "cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}
Type
GIT
Repo
https://github.com/jellyfin/jellyfin-web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.11.7"
        }
    ],
    "cpe": "cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v10.*
v10.0.0
v10.0.1
v10.0.2
v10.1.0
v10.11.0
v10.11.0-rc1
v10.11.0-rc2
v10.11.0-rc3
v10.11.0-rc4
v10.11.0-rc5
v10.11.0-rc6
v10.11.0-rc7
v10.11.0-rc8
v10.11.0-rc9
v10.11.1
v10.11.2
v10.11.3
v10.11.4
v10.11.5
v10.11.6
v10.3.0-rc1
v10.4.0
v10.5.0
v10.6.0
v10.8.0-alpha1
v10.8.0-alpha2
v10.8.0-alpha3
v10.8.0-alpha4
v10.8.0-alpha5
v3.*
v3.5.2-3
v3.5.2-4
v3.5.2-5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35032.json"