CVE-2026-41167

Name of the Vulnerable Software and Affected Versions Jellystat versions prior to 1.1.10

Description Multiple API endpoints build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via endpoints 'POST /api/getUserDetails' and 'POST /api/getLibrary', allowing full read access to any database table, including app config which contains admin credentials, the Jellyfin API key, and the Jellyfin host URL. Since the application uses the simple query protocol of node-postgres without a parameter array, stacked queries are possible. This allows the escalation from data disclosure to arbitrary command execution on the PostgreSQL host using COPY ... TO PROGRAM. When using the role provided in the docker-compose.yml file, which is a PostgreSQL superuser, no further privileges are needed for this execution.

Recommendations Update to version 1.1.10.