Cyber Resilience

CVE-2026-35031

Critical

Published: 14 April 2026

Published
14 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0075 50.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35031 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Jellyfin Jellyfin. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35031 affects Jellyfin, an open-source self-hosted media server, in versions prior to 10.11.7. The vulnerability is a chain rooted in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field lacks validation. This enables path traversal through the file extension, resulting in arbitrary file writes. Associated CWEs include CWE-20 (Improper Input Validation), CWE-22 (Path Traversal), and CWE-187 (Incomplete Blacklist). The issue carries a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Exploitation requires an administrator account or a user explicitly granted the "Upload Subtitles" permission. Attackers can leverage the initial arbitrary file write to chain into arbitrary file reads using .strm files, extract the database, escalate to admin privileges, and achieve remote code execution as root via ld.so.preload.

The vulnerability has been addressed in Jellyfin version 10.11.7. For those unable to upgrade immediately, the advisory recommends granting non-administrator users the Subtitle upload permission to minimize the attack surface. Additional details are available in the release notes at https://github.com/jellyfin/jellyfin/releases/tag/v10.11.7 and the security advisory at https://github.com/jellyfin/jellyfin/security/advisories/GHSA-j2hf-x4q5-47j3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Jellyfin is an open source self hosted media server. Versions prior to 10.11.7 contain a vulnerability chain in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles), where the Format field is not validated, allowing path traversal via the file extension and enabling…

more

arbitrary file write. This arbitrary file write can be chained into arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately remote code execution as root via ld.so.preload. Exploitation requires an administrator account or a user that has been explicitly granted the "Upload Subtitles" permission. This issue has been fixed in version 10.11.7. If users are unable to upgrade immediately, they can grant non-administrator users Subtitle upload permissions to reduce attack surface.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1574.006 Dynamic Linker Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries.
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via path traversal for arbitrary file writes, chaining to privilege escalation (T1068) and RCE through ld.so.preload dynamic linker hijacking (T1574.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35032Same product: Jellyfin Jellyfin
CVE-2026-35033Same product: Jellyfin Jellyfin
CVE-2026-31852Same product: Jellyfin Jellyfin
CVE-2025-41757Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2024-38292Shared CWE-22
CVE-2025-27494Shared CWE-20
CVE-2026-42520Shared CWE-22
CVE-2025-27590Shared CWE-22
CVE-2026-2750Shared CWE-20

Affected Assets

jellyfin
jellyfin
≤ 10.11.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation of the Format field that enables path traversal and arbitrary file writes in the subtitle upload endpoint.

prevent

Requires timely remediation of the known flaw fixed in Jellyfin 10.11.7, preventing exploitation of the vulnerability chain leading to RCE.

prevent

Enforces least privilege to restrict subtitle upload permissions to only necessary users, reducing the attack surface as recommended in the advisory.

References