In Jellyfin 10.8.x through 10.8.3, the name of a playlist is vulnerable to stored XSS. This allows an attacker to steal access tokens from the localStorage of the victim.
{ "github_reviewed_at": "2025-03-27T21:18:22Z", "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2023-02-03T01:15:00Z", "severity": "MODERATE", "github_reviewed": true }