CVE-2026-48793
HIGHCVSS v3.1: 8.8 · EPSS: 0.0036 (27.6 percentile)
Source data as of:
At a glance
- Severity
- HIGH
- CVSS
- 8.8 v3.1 · NVD
- EPSS
- 0.0036 (27.6 percentile) · FIRST.org
- CISA KEV
- No
- Attack conditions (CVSS vector)
- NetworkNo user interaction · Source: NVD Vector
- Published
- 2026-06-24 · Modified: 2026-06-25
- References
- Jump to references (1)
CVSS / EPSS / KEV
Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources
Description
Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file path into FFmpeg command-line arguments without calling EncodingUtils.NormalizePath(). On Linux, filenames can contain double-quote characters, which break the argument quoting and allow injection of arbitrary FFmpeg arguments. The vulnerability is reachable without authentication via SubtitleController.GetSubtitle, which has no [Authorize] attribute. An attacker who can place a file in a Jellyfin media library directory (shared NAS, Samba share, guest upload) can achieve arbitrary file write on the server and information disclosure. This vulnerability is fixed in 10.11.10.
References
Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.