Nixpkgs security tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2026-49247

8.8 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

created 1 day, 17 hours ago Activity log

Created suggestion 1 day, 17 hours ago

Jellyfin: Potential Authenticated path traversal in /ClientLog/Document

Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jg92-mrxq-vv75 x_refsource_CONFIRM

Affected products

jellyfin

==>= 10.9.0, < 10.11.10

Matching in nixpkgs

pkgs.jellyfin

Free Software Media System

nixos-unstable 10.11.11
- nixpkgs-unstable 10.11.11
- nixos-unstable-small 10.11.11
nixos-26.05 10.11.10
- nixos-26.05-small 10.11.11
- nixpkgs-26.05-darwin 10.11.11

pkgs.jellyfin-rpc

Displays the content you're currently watching on Discord

nixos-unstable 1.3.4
- nixpkgs-unstable 1.3.4
- nixos-unstable-small 1.3.4
nixos-26.05 1.3.4
- nixos-26.05-small 1.3.4
- nixpkgs-26.05-darwin 1.3.4

pkgs.jellyfin-tui

Jellyfin music streaming client for the terminal

nixos-unstable 1.5.0
- nixpkgs-unstable 1.5.0
- nixos-unstable-small 1.5.0
nixos-26.05 1.4.2
- nixos-26.05-small 1.4.2
- nixpkgs-26.05-darwin 1.4.2

pkgs.jellyfin-web

Web Client for Jellyfin

nixos-unstable 10.11.11
- nixpkgs-unstable 10.11.11
- nixos-unstable-small 10.11.11
nixos-26.05 10.11.10
- nixos-26.05-small 10.11.11
- nixpkgs-26.05-darwin 10.11.11

pkgs.jellyfin-ffmpeg

Complete, cross-platform solution to record, convert and stream audio and video (Jellyfin fork)

nixos-unstable 7.1.4-3
- nixpkgs-unstable 7.1.4-3
- nixos-unstable-small 7.1.4-3
nixos-26.05 7.1.2-2
- nixos-26.05-small 7.1.4-3
- nixpkgs-26.05-darwin 7.1.4-3

pkgs.mopidy-jellyfin

Mopidy extension for playing audio files from Jellyfin

nixos-unstable 1.0.6
- nixpkgs-unstable 1.0.6
- nixos-unstable-small 1.0.6
nixos-26.05 1.0.6
- nixos-26.05-small 1.0.6
- nixpkgs-26.05-darwin 1.0.6

pkgs.jellyfin-desktop

Jellyfin Desktop Client

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-26.05 2.0.0
- nixos-26.05-small 2.0.0
- nixpkgs-26.05-darwin 2.0.0

pkgs.jellyfin-mpv-shim

Allows casting of videos to MPV via the jellyfin mobile and web app

nixos-unstable 2.9.0
- nixpkgs-unstable 2.9.0
- nixos-unstable-small 2.9.0
nixos-26.05 2.9.0
- nixos-26.05-small 2.9.0
- nixpkgs-26.05-darwin 2.9.0

pkgs.jellyfin-media-player

Jellyfin Desktop Client

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-26.05 2.0.0
- nixos-26.05-small 2.0.0
- nixpkgs-26.05-darwin 2.0.0

pkgs.kodiPackages.jellyfin

Whole new way to manage and view your media library

nixos-unstable 2.0.0
- nixpkgs-unstable 2.0.0
- nixos-unstable-small 2.0.0
nixos-26.05 2.0.0
- nixos-26.05-small 2.0.0
- nixpkgs-26.05-darwin 2.0.0

pkgs.python312Packages.aiojellyfin

None

pkgs.python313Packages.aiojellyfin

nixos-unstable 0.14.1
- nixpkgs-unstable 0.14.1
- nixos-unstable-small 0.14.1
nixos-26.05 0.14.1
- nixos-26.05-small 0.14.1
- nixpkgs-26.05-darwin 0.14.1

pkgs.python314Packages.aiojellyfin

nixos-unstable 0.14.1
- nixpkgs-unstable 0.14.1
- nixos-unstable-small 0.14.1
nixos-26.05 0.14.1
- nixos-26.05-small 0.14.1
- nixpkgs-26.05-darwin 0.14.1

pkgs.mopidyPackages.mopidy-jellyfin

Mopidy extension for playing audio files from Jellyfin

nixos-unstable 1.0.6
- nixpkgs-unstable 1.0.6
- nixos-unstable-small 1.0.6
nixos-26.05 1.0.6
- nixos-26.05-small 1.0.6
- nixpkgs-26.05-darwin 1.0.6

pkgs.home-assistant-component-tests.jellyfin

None

pkgs.python312Packages.jellyfin-apiclient-python

None

pkgs.python313Packages.jellyfin-apiclient-python

Python API client for Jellyfin

nixos-unstable 1.12.0
- nixpkgs-unstable 1.12.0
- nixos-unstable-small 1.12.0
nixos-26.05 1.12.0
- nixos-26.05-small 1.12.0
- nixpkgs-26.05-darwin 1.12.0

pkgs.python314Packages.jellyfin-apiclient-python

Python API client for Jellyfin

nixos-unstable 1.12.0
- nixpkgs-unstable 1.12.0
- nixos-unstable-small 1.12.0
nixos-26.05 1.12.0
- nixos-26.05-small 1.12.0
- nixpkgs-26.05-darwin 1.12.0

Package maintainers

@minijackson Rémi Nicole <minijackson@riseup.net>
@purcell Steve Purcell <steve@sanityinc.com>
@nyanloutre Paul Trehiou <paul@nyanlout.re>
@jojosch Johannes Schleifenbaum <johannes@js-webcoding.de>
@paumr Michael Bergmeister
@justinas Justinas Stankevičius <justinas@justinas.org>
@getchoo Seth Flynn <getchoo@tuta.io>
@GKHWB GKHWB <kingdomg@tuta.com>
@dschrempf Dominik Schrempf <dominik.schrempf@gmail.com>
@peterhoeg Peter Hoeg <peter@hoeg.com>
@aanderse Aaron Andersen <aaron@fosslib.net>
@cpages Carles Pagès <page@ruiec.cat>
@nvmd Sergey Kazenyuk <kazenyuk@pm.me>
@pstn Philipp Steinpaß <philipp@xndr.de>
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>