CVE-2026-48793
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
A vulnerability in Jellyfin before version 10.11.10 allows FFmpeg argument injection via a specially crafted subtitle filename. An unauthenticated attacker can exploit the lack of path normalization in SubtitleEncoder, leading to arbitrary file write on the server and information disclosure.
Risk Assessment
The risk includes unauthorized file write on the server and data leakage, potentially leading to system compromise or theft of sensitive information.
Recommendation
Update Jellyfin to version 10.11.10 or later immediately. Restrict access to media library directories to trusted users only.
Original NVD description (English source)
Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file path into FFmpeg command-line arguments without calling EncodingUtils.NormalizePath(). On Linux, filenames can contain double-quote characters, which break the argument quoting and allow injection of arbitrary FFmpeg arguments. The vulnerability is reachable without authentication via SubtitleController.GetSubtitle, which has no [Authorize] attribute. An attacker who can place a file in a Jellyfin media library directory (shared NAS, Samba share, guest upload) can achieve arbitrary file write on the server and information disclosure. This vulnerability is fixed in 10.11.10.

