Arbitrary Argument Injection Affecting jellyfin.common package, versions [,10.11.10)


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Social Trends
EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DOTNET-JELLYFINCOMMON-17661061
  • published28 Jun 2026
  • disclosed24 Jun 2026
  • credita-maccormack

Introduced: 24 Jun 2026

NewCVE-2026-48793  (opens in a new tab)
CWE-88  (opens in a new tab)

How to fix?

Upgrade Jellyfin.Common to version 10.11.10 or higher.

Overview

Jellyfin.Common is an a Free Software Media System that puts you in control of managing and streaming your media.

Affected versions of this package are vulnerable to Arbitrary Argument Injection via the SubtitleEncoder.ConvertTextSubtitleToSrtInternal process. An attacker can achieve arbitrary file write and information disclosure by injecting malicious arguments into the FFmpeg command line through specially crafted subtitle file paths containing double-quote characters. This is possible when an attacker is able to place a file in a media library directory, such as through a shared NAS, Samba share, or guest upload, and exploit the unauthenticated SubtitleController.GetSubtitle endpoint.

CVSS Base Scores

version 4.0
version 3.1