SSRF in Jellyfin

CVE-2026-35032

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.000 (3.9th percentile) — read the EPSS interpretation.

Affected products

Jellyfin — versions < 10.11.7

Weakness classification (CWE)

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8 (x_refsource_CONFIRM)
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 (x_refsource_MISC)