CVE-2026-41167CRITICAL 9.1EPSS p40.0%

CVE-2026-41167CVE-2026-41167

Description

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS0.52% probability of exploitation · percentile 40.0% · 2026-06-19T12:03:05Z
Published2026-04-22
Last modified2026-04-29

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665
  2. https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m
  3. https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-24960
CVE
CVE-2025-31499
CVE
CVE-2026-35031
CVE
CVE-2026-35033
CVE
CVE-2026-7816
CVE
CVE-2026-32950
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.