cvedb.io
CVE-2024-43801
MEDIUM · CVSS 4.6
EPSS exploitation probability: 0%
Published 2024-09-02T18:15:36.320 · Last modified 2026-06-17T07:51:44.390

Summary

Jellyfin is an open source self hosted media server. The Jellyfin user profile image upload accepts SVG files, allowing for a stored XSS attack against an admin user via a specially crafted malicious SVG file. When viewed by an admin outside of the Jellyfin Web UI (e.g. via "view image" in a browser), this malicious SVG file could interact with the browser's LocalStorage and retrieve an AccessToken, which in turn can be used in an API call to elevate the target user to a Jellyfin administrator. The actual attack vector is unlikely to be exploited, as it requires specific actions by the administrator to view the SVG image outside of Jellyfin's WebUI, i.e. it is not a passive attack. The underlying exploit mechanism is solved by PR #12490, which forces attached images (including the potentia

Affected products

jellyfin — jellyfin

Does this affect you?

Add your gear to cvedb and we'll alert you only when jellyfin ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.