CVE-2025-24960HIGH 8.7EPSS p37.8%

CVE-2025-24960CVE-2025-24960

Description

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Scoring

CVSS 3.18.7 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS0.48% probability of exploitation · percentile 37.8% · 2026-06-19T12:03:05Z
Published2025-02-03
Last modified2026-04-15

Underlying weaknesses· 1

CWE-22

References

  1. https://cwe.mitre.org/data/definitions/22.html
  2. https://github.com/CyferShepard/Jellystat/pull/303
  3. https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-6x46-6w9f-ffv6

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41167
CVE
CVE-2026-35031
CVE
CVE-2026-35033
CVE
CVE-2025-31499
CVE
CVE-2025-14520
CVE
CVE-2026-35032
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.