CVE-2026-48793

HIGH 8.8

Jellyfin: Potential FFmpeg argument injection via unescaped subtitle file path

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

Jellyfin is an open source self hosted media server. Prior to 10.11.10, a potential FFmpeg argument injection vulnerability exists in the subtitle conversion code path. SubtitleEncoder.ConvertTextSubtitleToSrtInternal (SubtitleEncoder.cs, line 382) interpolates the subtitle file path into FFmpeg command-line arguments without calling EncodingUtils.NormalizePath(). On Linux, filenames can contain double-quote characters, which break the argument quoting and allow injection of arbitrary FFmpeg arguments. The vulnerability is reachable without authentication via SubtitleController.GetSubtitle, which has no [Authorize] attribute. An attacker who can place a file in a Jellyfin media library directory (shared NAS, Samba share, guest upload) can achieve arbitrary file write on the server and information disclosure. This vulnerability is fixed in 10.11.10.

CWE	CWE-88
Vendor	jellyfin
Product	jellyfin
Published	Jun 24, 2026
Last Updated	Jun 24, 2026

Stay Ahead of the Next One

Get instant alerts for jellyfin jellyfin

Be the first to know when new high vulnerabilities affecting jellyfin jellyfin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

jellyfin / jellyfin

< 10.11.10

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jellyfin/jellyfin/security/advisories/GHSA-wwwm-px48-fpvq