CVE Catalog

CVE-2026-48793

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.36%

28th percentile — higher than 28% of all known CVEs

Summary

A vulnerability in Jellyfin before version 10.11.10 allows FFmpeg argument injection via a specially crafted subtitle filename. An unauthenticated attacker can exploit the lack of path normalization in SubtitleEncoder, leading to arbitrary file write on the server and information disclosure.

Risk Assessment

The risk includes unauthorized file write on the server and data leakage, potentially leading to system compromise or theft of sensitive information.

Recommendation

Update Jellyfin to version 10.11.10 or later immediately. Restrict access to media library directories to trusted users only.

Original NVD description (English source)

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file path into FFmpeg command-line arguments without calling EncodingUtils.NormalizePath(). On Linux, filenames can contain double-quote characters, which break the argument quoting and allow injection of arbitrary FFmpeg arguments. The vulnerability is reachable without authentication via SubtitleController.GetSubtitle, which has no [Authorize] attribute. An attacker who can place a file in a Jellyfin media library directory (shared NAS, Samba share, guest upload) can achieve arbitrary file write on the server and information disclosure. This vulnerability is fixed in 10.11.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS