Description
Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header during an AuthenticateByName can contain arbitrary HTML and Javascript, which will then be executed by the Administrative user when visiting the Access tab of the user in question from within the dashboard. This vulnerability is fixed in 10.11.9.
Published: 2026-06-24
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A non-privileged user can submit an arbitrary Client header during an AuthenticateByName request; because the header is not sanitized, the contained HTML and JavaScript are rendered when an administrative user later views the target user's Access tab. This causes execution of the supplied script with the privileges of the logged‑in administrator, potentially allowing the attacker to read system data, modify configuration, or perform further actions within the browser context. The failure to escape user input is a classic Cross‑Site Scripting weakness (CWE‑79).

Affected Systems

Jellyfin, the open‑source self‑hosted media server, is affected in all releases prior to 10.11.9. Users running older versions should verify the installed build number; upgrading to the fixed 10.11.9 release is required to eliminate the flaw.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack path requires the adversary to authenticate as a regular user to supply the malicious header, then wait until an administrator opens the user’s Access tab, which reduces the immediacy of exploitation but still permits significant damage when the admin visits the dashboard.

Generated by OpenCVE AI on June 24, 2026 at 20:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jellyfin to version 10.11.9 or later to apply the official fix.
  • Implement a strict Content Security Policy on the dashboard pages to block execution of inline scripts, reducing impact while a patch is applied.
  • Restrict or sanitize the Client header during authentication, ensuring only permitted values are accepted and preventing malicious content from being stored.

Generated by OpenCVE AI on June 24, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Jellyfin
Jellyfin jellyfin
Vendors & Products Jellyfin
Jellyfin jellyfin

Wed, 24 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header during an AuthenticateByName can contain arbitrary HTML and Javascript, which will then be executed by the Administrative user when visiting the Access tab of the user in question from within the dashboard. This vulnerability is fixed in 10.11.9.
Title Jellyfin: Potential XSS in user management
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}


Subscriptions

Jellyfin Jellyfin
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T19:19:55.345Z

Reserved: 2026-05-28T03:42:34.341Z

Link: CVE-2026-49220

cve-icon Vulnrichment

Updated: 2026-06-24T19:19:28.563Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T06:15:15Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')