Description
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
Published: 2026-04-22
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Jellystat builds SQL queries by directly interpolating unsanitized request-body fields into raw SQL strings for the endpoints POST /api/getUserDetails and POST /api/getLibrary. An attacker who authenticates to the application can inject arbitrary SQL, read every table—including app_config where administrator credentials, API keys, and host URLs are stored— and, because the query is executed via node-postgres' simple query protocol, use stacked statements such as COPY ... TO PROGRAM to execute commands on the PostgreSQL host. With the role used in the provided docker-compose.yml, the database user is a superuser, so no additional privileges are required for the privilege escalation to remote code execution.

Affected Systems

The affected product is Jellystat from CyferShepard. Versions prior to 1.1.10 are vulnerable; all releases before the 1.1.10 release contain the flaw.

Risk and Exploitability

The CVSS score of 9.1 indicates a high severity vulnerability, and the flaw can lead to full server compromise through the database. While an EPSS score is not available, the vulnerability exists in open‑source code that is publicly accessible, making exploitation more likely. The flaw is not listed in CISA’s KEV catalog. The attack vector is remote and requires the attacker to be able to authenticate and submit POST requests to the vulnerable routes. Once authenticated, the attacker can read sensitive data, access admin credentials, and ultimately run arbitrary commands on the host system.

Generated by OpenCVE AI on April 27, 2026 at 08:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jellystat to version 1.1.10 or newer, which sanitizes input and removes the vulnerable endpoints.
  • If upgrading immediately is not possible, restrict or block POST requests to /api/getUserDetails and /api/getLibrary from untrusted clients, or require additional authorization checks before allowing these requests.
  • Reconfigure the PostgreSQL service so the application connects as a non‑superuser with limited privileges, ensuring that even if an injection occurs it cannot reach the COPY … TO PROGRAM command.

Generated by OpenCVE AI on April 27, 2026 at 08:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Cyfershepard
Cyfershepard jellystat
Vendors & Products Cyfershepard
Cyfershepard jellystat

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
Title Jellystat has SQL Injection that leads to to Remote Code Execution
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Cyfershepard Jellystat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-23T13:46:23.680Z

Reserved: 2026-04-17T16:34:45.525Z

Link: CVE-2026-41167

cve-icon Vulnrichment

Updated: 2026-04-23T13:46:19.430Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T21:17:09.303

Modified: 2026-04-29T20:46:33.890

Link: CVE-2026-41167

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:05Z

Weaknesses