Main Vulnerability Database Vulnerabilities #VU126128

#VU126128 Improper input validation in Jellyfin - CVE-2026-35032

Published: April 15, 2026

Vulnerability identifier: #VU126128

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-35032

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Jellyfin

Software vendor:
Jellyfin

Description

The vulnerability allows a remote user to read arbitrary files and perform server-side request forgery.

The vulnerability exists due to improper input validation in the LiveTV M3U tuner endpoint when processing user-supplied tuner URLs. A remote user can submit a specially crafted tuner URL to read arbitrary files and perform server-side request forgery.

The issue is exploitable by authenticated users because Live TV management permissions are enabled by default for new users.

Remediation

Install security update from vendor's website.

External links

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-8fw7-f233-ffr8

#VU126128 Improper input validation in Jellyfin - CVE-2026-35032

Description

Remediation

External links

Please verify you're human