Path Traversal Flaw in Jellyfin Media Server by Jellyfin
CVE-2026-49246
1.7LOW
What is CVE-2026-49246?
Jellyfin, an open-source self-hosted media server, is susceptible to a path traversal vulnerability. This flaw arises when a maliciously crafted MKV file is played, allowing attackers to exploit the unsanitized filename tags used during playback. The issue stems from Jellyfin's deference to the MKV filename tag, which leads to unsafe path combinations. As a result, the MKV attachments can be redirected to any absolute path on the disk, exposing the server to unauthorized access and data leaks. This vulnerability affects versions prior to 10.11.10 and has been addressed in the update.
Affected Version(s)
jellyfin < 10.11.10
