NIXPKGS-2026-1110

GitHub issue published on

Permalink CVE-2026-35032

updated 18 hours ago by @LeSuisse Activity log

Created automatic suggestion 21 hours ago
@LeSuisse ignored
19 packages
- jellyfin-rpc
- jellyfin-tui
- jellyfin-web
- jellyfin-ffmpeg
- mopidy-jellyfin
- jellyfin-desktop
- jellyfin-mpv-shim
- jellyfin-media-player
- kodiPackages.jellyfin
- python312Packages.aiojellyfin
- python313Packages.aiojellyfin
- python314Packages.aiojellyfin
- mopidyPackages.mopidy-jellyfin
- home-assistant-component-tests.jellyfin
- tests.home-assistant-components.jellyfin
- python312Packages.jellyfin-apiclient-python
- python313Packages.jellyfin-apiclient-python
- python314Packages.jellyfin-apiclient-python
- tests.home-assistant-component-tests.jellyfin
18 hours ago
@LeSuisse ignored reference https://g… 18 hours ago
@LeSuisse ignored
4 maintainers
- @jojosch
- @minijackson
- @nyanloutre
- @purcell
18 hours ago maintainer.ignore
@LeSuisse accepted 18 hours ago
@LeSuisse published on GitHub 18 hours ago

Jellyfin: Potential SSRF + Arbitrary file read via LiveTV M3U tuner

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the LiveTV M3U tuner endpoint (POST /LiveTv/TunerHosts), where the tuner URL is not validated, allowing local file read via non-HTTP paths and Server-Side Request Forgery (SSRF) via HTTP URLs. This is exploitable by any authenticated user because the EnableLiveTvManagement permission defaults to true for all new users. An attacker can chain these vulnerabilities by adding an M3U tuner pointing to an attacker-controlled server, serving a crafted M3U with a channel pointing to the Jellyfin database, exfiltrating the database to extract admin session tokens, and escalating to admin privileges. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can disable Live TV Management privileges for all users.

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8 x_refsource_CONFIRM

Ignored references (1)

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 x_refsource_MISC

Affected products

jellyfin

==< 10.11.7

Matching in nixpkgs

pkgs.jellyfin

Free Software Media System

nixos-unstable 10.11.8
- nixpkgs-unstable 10.11.8
- nixos-unstable-small 10.11.8
nixos-25.11 10.11.8
- nixos-25.11-small 10.11.8
- nixpkgs-25.11-darwin 10.11.8

Ignored packages (19)

pkgs.jellyfin-rpc

Displays the content you're currently watching on Discord

nixos-unstable 1.3.4
- nixpkgs-unstable 1.3.4
- nixos-unstable-small 1.3.4
nixos-25.11 1.3.4
- nixos-25.11-small 1.3.4
- nixpkgs-25.11-darwin 1.3.4

pkgs.jellyfin-tui

Jellyfin music streaming client for the terminal

nixos-unstable 1.4.1
- nixpkgs-unstable 1.4.1
- nixos-unstable-small 1.4.2
nixos-25.11 1.2.6
- nixos-25.11-small 1.2.6
- nixpkgs-25.11-darwin 1.2.6

pkgs.jellyfin-web

Web Client for Jellyfin

nixos-unstable 10.11.8
- nixpkgs-unstable 10.11.8
- nixos-unstable-small 10.11.8
nixos-25.11 10.11.8
- nixos-25.11-small 10.11.8
- nixpkgs-25.11-darwin 10.11.8

pkgs.jellyfin-ffmpeg

Complete, cross-platform solution to record, convert and stream audio and video (Jellyfin fork)

nixos-unstable 7.1.2-2
- nixpkgs-unstable 7.1.2-2
- nixos-unstable-small 7.1.2-2
nixos-25.11 7.1.2-2
- nixos-25.11-small 7.1.2-2
- nixpkgs-25.11-darwin 7.1.2-2