Jellystat SQLi to RCE Critical Vulnerability (CVE-2026-41167)
The National Vulnerability Database has detailed CVE-2026-41167, a critical SQL injection vulnerability in Jellystat, a free and open-source statistics application for Jellyfin. Prior to version 1.1.10, multiple API endpoints, specifically POST /api/getUserDetails and POST /api/getLibrary, construct SQL queries by directly interpolating unsanitized request-body fields.
This flaw allows an authenticated attacker to inject arbitrary SQL, leading to full data disclosure from any database table. Crucially, this includes app_config, which stores sensitive data like Jellystat admin credentials, Jellyfin API keys, and the Jellyfin host URL. The node-postgres simple query protocol, used by the vulnerable call site, permits stacked queries, escalating the injection from data disclosure to arbitrary command execution on the PostgreSQL host via COPY ... TO PROGRAM.
Given the PostgreSQL superuser role assigned by the project’s docker-compose.yml, no additional privileges are needed to achieve this RCE. The CVSS score of 9.1 (CRITICAL) underscores the severity. Defenders using Jellystat must prioritize patching to version 1.1.10 immediately to mitigate this high-impact vulnerability.
What This Means For You
- If your organization uses Jellystat, you are exposed to critical SQL injection and remote code execution. Immediately verify your Jellystat version and patch to 1.1.10. Audit logs for suspicious database activity, especially around `POST /api/getUserDetails` and `POST /api/getLibrary` endpoints, and review PostgreSQL host logs for unusual `COPY ... TO PROGRAM` executions.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Jellystat SQLi to RCE via COPY TO PROGRAM - CVE-2026-41167
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-41167 | SQLi | Jellystat < 1.1.10 |
| CVE-2026-41167 | SQLi | POST /api/getUserDetails |
| CVE-2026-41167 | SQLi | POST /api/getLibrary |
| CVE-2026-41167 | RCE | Jellystat < 1.1.10 via stacked SQLi and COPY ... TO PROGRAM |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 23, 2026 at 00:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
WeKan SSRF Vulnerability: Internal Network Exposure Risk
CVE-2026-41455 — WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol...
Wekan API Flaw Grants Board Members Admin Powers
CVE-2026-41454 — WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without...
CVE-2026-41177 — Server-Side Request Forgery
CVE-2026-41177 — Squidex is an open source headless content management system and content management hub. Prior to version 7.23.0, the Squidex Restore API is vulnerable...