Improper Neutralization of Argument Delimiters in a Command in Jellyfin - CVE-2026-35033

 

Improper Neutralization of Argument Delimiters in a Command in Jellyfin - CVE-2026-35033

Published: April 15, 2026


Vulnerability identifier: #VU126126
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-35033
CWE-ID: CWE-88
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jellyfin
Affected software:
Jellyfin

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper neutralization of argument delimiters in a command in the ParseStreamOptions method in StreamingHelpers.cs and the /Videos/{itemId}/stream endpoint when processing StreamOptions query parameters. A remote attacker can send a specially crafted request to disclose sensitive information.

The issue can be exploited without authentication, and injected ffmpeg arguments can cause server file contents to be rendered into the video stream response.


How to mitigate CVE-2026-35033

Install security update from vendor's website.

Sources