CVE-2026-35032HIGH 8.1EPSS p22.8%

CVE-2026-35032CVE-2026-35032

Description

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.31% probability of exploitation · percentile 22.8% · 2026-06-18T12:00:27Z
Published2026-04-14
Last modified2026-04-23

Underlying weaknesses· 2

CWE-73CWE-918

References

  1. https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
  2. https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8

2

TypeTargetConfidenceTier
WeaknessExternal Control of File Name or Pathcwe-730%live
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35031
CVE
CVE-2026-35033
CVE
CVE-2025-31499
CVE
CVE-2026-27707
CVE
CVE-2026-32891
CVE
CVE-2026-31852
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.