Impact
A crafted MKV file can exploit Jellyfin’s lack of path sanitization when reading attachment filenames. The vulnerability allows the attacker to redirect the extraction of attachment files to an arbitrary absolute path on the server’s disk, potentially overwriting critical files. Such an overwrite could lead to execution of arbitrary code or other malicious actions, compromising both confidentiality and integrity of the system.
Affected Systems
The issue affects Jellyfin servers prior to version 10.11.10. Any user adding or playing a malicious MKV file within the media library is susceptible. The product is the open‑source Jellyfin media server.
Risk and Exploitability
The CVSS score of 1.7 indicates a low severity metric, but the ability to write to arbitrary locations makes this a high‑impact flaw when exploited. The EPSS score is unavailable, so the likelihood of exploitation is unknown, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector is a file upload or playback action with a specially crafted MKV, making the flaw exploitable by anyone who can introduce such a file into the server’s media library.
OpenCVE Enrichment