Main Vulnerability Database Vulnerabilities #VU126125

Path traversal in Jellyfin - CVE-2021-21402

Published: March 22, 2021 / Updated: April 15, 2026

Vulnerability identifier: #VU126125

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-21402

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jellyfin

Software vendor:
Jellyfin

Description

The vulnerability allows a remote attacker to disclose arbitrary files from the server file system.

The vulnerability exists due to path traversal in certain endpoints when handling specially crafted requests. A remote attacker can send specially crafted requests to disclose arbitrary files from the server file system.

The issue is more prevalent when Windows is used as the host operating system.

Remediation

Install security update from vendor's website.

External links

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wg4c-c9g9-rxhx
https://github.com/advisories/GHSA-wg4c-c9g9-rxhx

Path traversal in Jellyfin - CVE-2021-21402

Description

Remediation

External links

Please verify you're human