Path Traversal Flaw in Jellyfin Media Server by Jellyfin
CVE-2026-49246

1.7LOW

Key Information:

Vendor

Jellyfin

Status
Vendor
CVE Published:
24 June 2026

What is CVE-2026-49246?

Jellyfin, an open-source self-hosted media server, is susceptible to a path traversal vulnerability. This flaw arises when a maliciously crafted MKV file is played, allowing attackers to exploit the unsanitized filename tags used during playback. The issue stems from Jellyfin's deference to the MKV filename tag, which leads to unsafe path combinations. As a result, the MKV attachments can be redirected to any absolute path on the disk, exposing the server to unauthorized access and data leaks. This vulnerability affects versions prior to 10.11.10 and has been addressed in the update.

Affected Version(s)

jellyfin < 10.11.10

References

CVSS V4

Score:
1.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.