Home / Vulnerability Intelligence / CVE-2026-35031

CVE-2026-35031 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: April 14, 2026

Jellyfin - Path Traversal & Remote Code Execution

Published: April 14, 2026Updated: April 14, 2026Remote Exploitable

Overview

Jellyfin < 10.11.7 contains a path traversal vulnerability caused by improper validation of the Format field in subtitle upload endpoint, letting attackers with upload permissions write arbitrary files and escalate to remote code execution as root.

Severity & Score

Severity: Critical

CVSS Score: 9.9

Impact

Attackers with subtitle upload permissions can write arbitrary files, escalate privileges, and execute code as root, leading to full system compromise.

Mitigation

Upgrade to version 10.11.7 or later.

References

https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7
https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-35031
Severity: Critical
CVSS Score: 9.9
Type: path_traversal
Status: new

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H