CVE-2026-35033

Source
https://cve.org/CVERecord?id=CVE-2026-35033
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35033.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35033
Aliases
  • GHSA-jh22-fw8w-2v9x
Published
2026-04-14T22:28:47.558Z
Modified
2026-07-15T01:49:01.911145072Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Jellyfin: Potential SSRF + Arbitrary file read via stream argument injection
Details

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds any lowercase query parameter to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter, and the unsanitized value is concatenated directly into the ffmpeg command line. By injecting a drawtext filter with a textfile argument, an attacker can read arbitrary server files such as /etc/shadow and exfiltrate their contents as text rendered in the video stream response. The vulnerable /Videos/{itemId}/stream endpoint has no Authorize attribute, making this exploitable without authentication, though item GUIDs are pseudorandom and require an authenticated user to obtain. This issue has been fixed in version 10.11.7.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-862",
        "CWE-88"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35033.json"
}
References

Affected packages

Git / github.com/jellyfin/jellyfin

Affected ranges

Type
GIT
Repo
https://github.com/jellyfin/jellyfin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.11.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/jellyfin/jellyfin-web
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:jellyfin:jellyfin:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "10.11.7"
        }
    ]
}

Affected versions

v10.*
v10.0.0
v10.0.1
v10.0.2
v10.1.0
v10.11.0
v10.11.0-rc1
v10.11.0-rc2
v10.11.0-rc3
v10.11.0-rc4
v10.11.0-rc5
v10.11.0-rc6
v10.11.0-rc7
v10.11.0-rc8
v10.11.0-rc9
v10.11.1
v10.11.2
v10.11.3
v10.11.4
v10.11.5
v10.11.6
v10.3.0-rc1
v10.4.0
v10.5.0
v10.6.0
v10.8.0-alpha1
v10.8.0-alpha2
v10.8.0-alpha3
v10.8.0-alpha4
v10.8.0-alpha5
v3.*
v3.5.2-3
v3.5.2-4
v3.5.2-5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35033.json"