CVE-2026-35034

Name of the Vulnerable Software and Affected Versions Jellyfin versions prior to 10.11.7

Description An authenticated user can cause a denial of service via the 'POST /SyncPlay/New' endpoint. Due to insufficient input validation, it is possible to create groups with names of unlimited size. By sending large payloads combined with arbitrary group IDs, an attacker can lock out the endpoint for other clients and significantly increase the memory usage of the process, which may lead to an out-of-memory crash.

Recommendations Update to version 10.11.7.