CVE-2026-35033

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.7

Description An unauthenticated arbitrary file read is possible via ffmpeg argument injection through the query parameter parsing mechanism. The ParseStreamOptions method in StreamingHelpers.cs adds lowercase query parameters to a dictionary without validation, bypassing the RegularExpression attribute on the level controller parameter. This unsanitized value is then concatenated directly into the ffmpeg command line. An attacker can inject a drawtext filter with a textfile argument to read arbitrary server files, such as /etc/shadow, and exfiltrate the contents as text rendered in the video stream response. The affected endpoint is '/Videos/{itemId}/stream', which lacks an Authorize attribute, allowing exploitation without authentication, although item GUIDs are pseudorandom.

Recommendations Update to version 10.11.7.