CVE-2026-35031
Published: 14 April 2026
Summary
CVE-2026-35031 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Jellyfin Jellyfin. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the improper input validation of the Format field that enables path traversal and arbitrary file writes in the subtitle upload endpoint.
Requires timely remediation of the known flaw fixed in Jellyfin 10.11.7, preventing exploitation of the vulnerability chain leading to RCE.
Enforces least privilege to restrict subtitle upload permissions to only necessary users, reducing the attack surface as recommended in the advisory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of public-facing web application (T1190) via path traversal for arbitrary file writes, chaining to privilege escalation (T1068) and RCE through ld.so.preload dynamic linker hijacking (T1574.006).
NVD Description
Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling…
more
arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.
Deeper analysisAI
CVE-2026-35031 affects Jellyfin, an open-source self-hosted media server, in versions prior to 10.11.7. The vulnerability is a chain rooted in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field lacks validation. This enables path traversal through the file extension, resulting in arbitrary file writes. Associated CWEs include CWE-20 (Improper Input Validation), CWE-22 (Path Traversal), and CWE-187 (Incomplete Blacklist). The issue carries a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Exploitation requires an administrator account or a user explicitly granted the "Upload Subtitles" permission. Attackers can leverage the initial arbitrary file write to chain into arbitrary file reads using .strm files, extract the database, escalate to admin privileges, and achieve remote code execution as root via ld.so.preload.
The vulnerability has been addressed in Jellyfin version 10.11.7. For those unable to upgrade immediately, the advisory recommends granting non-administrator users the Subtitle upload permission to minimize the attack surface. Additional details are available in the release notes at https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 and the security advisory at https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3.
Details
- CWE(s)