Path Traversal in Jellyfin
CVE-2026-49246
Jellyfin is an open source self hosted media server. Prior to 10.11.10, a specifically crafted MKV file containing forged filename tags can be leveraged to exploit missing path sanitization during playback. Jellyfin treats the MKV file nam…
Vulnerability class: Path Traversal (Directory Traversal)
Affected products
- Jellyfin — versions < 10.11.10
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)