Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.
Metrics
Affected Vendors & Products
References
History
Thu, 25 Jun 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 25 Jun 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Jellyfin
Jellyfin jellyfin |
|
| Vendors & Products |
Jellyfin
Jellyfin jellyfin |
Wed, 24 Jun 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10. | |
| Title | Jellyfin: Potential Authenticated path traversal in /ClientLog/Document | |
| Weaknesses | CWE-22 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published: 2026-06-24T18:18:46.137Z
Updated: 2026-06-26T03:55:58.837Z
Reserved: 2026-05-28T14:33:01.178Z
Link: CVE-2026-49247
Updated: 2026-06-25T17:09:54.877Z
No data.
No data.