Arbitrary Code Execution Vulnerability in Jellyfin iOS by Jellyfin
CVE-2026-31852

10CRITICAL

Key Information:

Vendor: Jellyfin
Status: Code-quality.yml
Vendor: CVE Published:; 11 March 2026

What is CVE-2026-31852?

The Jellyfin iOS application has a vulnerability in its GitHub Actions workflow, allowing arbitrary code execution through pull requests from forked repositories. The elevated permissions granted by this workflow pose significant risks, including repository takeover, exfiltration of sensitive secrets, and potential supply chain attacks on the Apple App Store. This vulnerability affects the overall integrity of the Jellyfin organization through possible cross-repository token usage, making it critical for repository maintainers to manage permissions carefully.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

code-quality.yml < 109217e75f38394b2f6e46e25dfe5a721203d3c8

References

https://github.com/jellyfin/jellyfin-ios/security/advisor...

x_refsource_CONFIRM

https://github.com/jellyfin/jellyfin-ios/commit/109217e75...

x_refsource_MISC

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Mar 11, 2026
Vulnerability Reserved
Mar 9, 2026

JSON

Jellyfin

What is CVE-2026-31852?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.