Auth bypass in Jellyfin

CVE-2026-35033

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain an unauthenticated arbitrary file read vulnerability via ffmpeg argument injection through the StreamOptions query parameter parsing mechanism. The Pars…

EPSS: 0.001 (28.9th percentile) — read the EPSS interpretation.

Affected products

Jellyfin — versions < 10.11.7

Weakness classification (CWE)

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jh22-fw8w-2v9x (x_refsource_CONFIRM)
https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 (x_refsource_MISC)