0Xcyborg

**Name of the Vulnerable Software and Affected Versions** Jellyfin versions prior to 10.11.7 **Description** An authenticated user can cause a denial of service via the 'POST /SyncPlay/New' endpoint. Due to insufficient input validation, it is possible to create groups with names of unlimited size. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients and significantly increase the memory usage of the process, which may lead to an out-of-memory crash. **Recommendations** Update to version 10.11.7.