Home / Vulnerability Intelligence / CVE-2026-31852

CVE-2026-31852 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 11, 2026

Jellyfin jellyfin-ios - Remote Code Execution

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Jellyfin jellyfin-ios contains an arbitrary code execution vulnerability in the code-quality.yml GitHub Actions workflow due to elevated permissions, letting attackers via forked pull requests fully compromise the repository and organization, exploit requires pull request from forked repository.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 7.8%(Probability of exploitation in next 30 days)

Impact

Attackers can fully compromise the repository, exfiltrate secrets, poison packages, and compromise the entire organization.

Mitigation

No update required; end users do not need to take any actions as this is a workflow configuration issue.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🔴 CVE-2026-31852 - Critical (10) Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-31852/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-31852
Severity: Critical
CVSS Score: 10.0
Type: undefined
Status: new
EPSS: 7.8%
Social Posts: 1

CWE

CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

7.8%Probability of exploitation in the next 30 days