Jellyfin RCE: Critical Flaw Chains Arbitrary File Write to Root
The National Vulnerability Database recently detailed a critical vulnerability, CVE-2026-35031, affecting Jellyfin, the popular open-source self-hosted media server. This nasty chain of flaws, present in versions prior to 10.11.7, starts with improper validation in the subtitle upload endpoint (POST /Videos/{itemId}/Subtitles).
According to the National Vulnerability Database, attackers can leverage path traversal via the Format field and an unvalidated file extension to achieve arbitrary file write. This isn’t just a nuisance; it’s the first domino. From there, the attack can escalate to arbitrary file read via .strm files, database extraction, admin privilege escalation, and ultimately, remote code execution (RCE) as root using ld.so.preload. The good news? Exploitation requires either an administrator account or a user explicitly granted ‘Upload Subtitles’ permission. Still, that’s a significant attack surface for a critical vulnerability scoring 9.9 CVSS.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 5 SIEM formats5 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.
Web Application Exploitation Attempt — CVE-2026-35031
Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.
5 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.
Get Detection Rules →Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35031 | RCE | Jellyfin versions prior to 10.11.7 |
| CVE-2026-35031 | Path Traversal | Jellyfin subtitle upload endpoint POST /Videos/{itemId}/Subtitles with unvalidated Format field |
| CVE-2026-35031 | Arbitrary File Write | Jellyfin subtitle upload endpoint via file extension manipulation |
| CVE-2026-35031 | Arbitrary File Read | Jellyfin via .strm files |
| CVE-2026-35031 | Privilege Escalation | Jellyfin via ld.so.preload after arbitrary file write |
Related Posts
Critical RCE Flaw Hits NuGet Gallery Backend
CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...
BoidCMS LFI to RCE: A Critical Template Flaw
CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...
Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk
CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...