Jellystat, an open source statistics app for Jellyfin, contains a critical SQL injection vulnerability in versions prior to 1.1.10. Multiple API endpoints build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. Authenticated users can exploit POST /api/getUserDetails and POST /api/getLibrary endpoints to inject arbitrary SQL, enabling full database read access including admin credentials and API keys. The vulnerability escalates to remote code execution through PostgreSQL's COPY TO PROGRAM feature with stacked queries. The PostgreSQL superuser role in the default docker-compose.yml configuration requires no additional privileges for RCE exploitation.