Description

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

INFO

Published Date :

2026-04-14T22:25:35.729Z

Last Modified :

2026-04-15T20:02:29.887Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-35032 vulnerability.

Vendors Products
Jellyfin
  • Jellyfin
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-35032.

URL Resource
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 cve-icon cve-icon
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability