Impact
A non-privileged user can submit an arbitrary Client header during an AuthenticateByName request; because the header is not sanitized, the contained HTML and JavaScript are rendered when an administrative user later views the target user's Access tab. This causes execution of the supplied script with the privileges of the logged‑in administrator, potentially allowing the attacker to read system data, modify configuration, or perform further actions within the browser context. The failure to escape user input is a classic Cross‑Site Scripting weakness (CWE‑79).
Affected Systems
Jellyfin, the open‑source self‑hosted media server, is affected in all releases prior to 10.11.9. Users running older versions should verify the installed build number; upgrading to the fixed 10.11.9 release is required to eliminate the flaw.
Risk and Exploitability
The CVSS score of 5.7 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack path requires the adversary to authenticate as a regular user to supply the malicious header, then wait until an administrator opens the user’s Access tab, which reduces the immediacy of exploitation but still permits significant damage when the admin visits the dashboard.
OpenCVE Enrichment