Description
Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file path into FFmpeg command-line arguments without calling EncodingUtils.NormalizePath(). On Linux, filenames can contain double-quote characters, which break the argument quoting and allow injection of arbitrary FFmpeg arguments. The vulnerability is reachable without authentication via SubtitleController.GetSubtitle, which has no [Authorize] attribute. An attacker who can place a file in a Jellyfin media library directory (shared NAS, Samba share, guest upload) can achieve arbitrary file write on the server and information disclosure. This vulnerability is fixed in 10.11.10.
Published: 2026-06-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Jellyfin’s subtitle conversion process allows an attacker to inject arbitrary FFmpeg command‑line arguments by exploiting unescaped full‑path handling of the subtitle file. Because the path can contain double‑quote characters on Linux, the quoted argument breaks and enables injection. The vulnerability grants an attacker the ability to write arbitrary files to the server and read other data, effectively leading to destructive file modification and sensitive information capture.

Affected Systems

All Jellyfin installations running a version earlier than 10.11.10 on Linux platforms. The risk applies when media libraries are located on shared storage such as NAS or Samba shares where an individual can place files in the library directories, or when guest uploads are allowed.

Risk and Exploitability

The vulnerability is high severity with a CVSS score of 8.8, and it does not require authentication because the SubtitleController.GetSubtitle endpoint is publicly exposed. An attacker who controls a file in a media library can trigger the injection simply by requesting the subtitle endpoint, resulting in silent file creation or modification. Although EPSS data is unavailable and the issue is not catalogued in KEV, the lack of an authentication barrier and the ability to write files means the risk of exploitation remains significant in environments with accessible media libraries.

Generated by OpenCVE AI on June 24, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jellyfin to version 10.11.10 or later, which sanitizes subtitle file paths before calling FFmpeg.
  • Restrict write access to media library directories so that only trusted users can place files, or move libraries to filesystems that disallow double‑quote characters.
  • Configure network or application-level controls to require authentication for the SubtitleController.GetSubtitle endpoint, preventing unauthenticated access to potential injection points.

Generated by OpenCVE AI on June 24, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Jellyfin
Jellyfin jellyfin
Vendors & Products Jellyfin
Jellyfin jellyfin

Wed, 24 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file path into FFmpeg command-line arguments without calling EncodingUtils.NormalizePath(). On Linux, filenames can contain double-quote characters, which break the argument quoting and allow injection of arbitrary FFmpeg arguments. The vulnerability is reachable without authentication via SubtitleController.GetSubtitle, which has no [Authorize] attribute. An attacker who can place a file in a Jellyfin media library directory (shared NAS, Samba share, guest upload) can achieve arbitrary file write on the server and information disclosure. This vulnerability is fixed in 10.11.10.
Title Jellyfin: Potential FFmpeg argument injection via unescaped subtitle file path
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Jellyfin Jellyfin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-26T03:56:00.432Z

Reserved: 2026-05-22T20:18:20.366Z

Link: CVE-2026-48793

cve-icon Vulnrichment

Updated: 2026-06-24T18:50:36.857Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:30:16Z

Weaknesses
  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')