Impact
A flaw in Jellyfin’s subtitle conversion process allows an attacker to inject arbitrary FFmpeg command‑line arguments by exploiting unescaped full‑path handling of the subtitle file. Because the path can contain double‑quote characters on Linux, the quoted argument breaks and enables injection. The vulnerability grants an attacker the ability to write arbitrary files to the server and read other data, effectively leading to destructive file modification and sensitive information capture.
Affected Systems
All Jellyfin installations running a version earlier than 10.11.10 on Linux platforms. The risk applies when media libraries are located on shared storage such as NAS or Samba shares where an individual can place files in the library directories, or when guest uploads are allowed.
Risk and Exploitability
The vulnerability is high severity with a CVSS score of 8.8, and it does not require authentication because the SubtitleController.GetSubtitle endpoint is publicly exposed. An attacker who controls a file in a media library can trigger the injection simply by requesting the subtitle endpoint, resulting in silent file creation or modification. Although EPSS data is unavailable and the issue is not catalogued in KEV, the lack of an authentication barrier and the ability to write files means the risk of exploitation remains significant in environments with accessible media libraries.
OpenCVE Enrichment