top of page
perceptive_background_267k.jpg

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating…

Published:

21 april 2026 om 22:00:00

Alert date:

22 april 2026 om 22:11:22

Source:

nvd.nist.gov

Click to open the original link from this advisory

Web Technologies, Database & Storage

Jellystat, an open source statistics app for Jellyfin, contains a critical SQL injection vulnerability in versions prior to 1.1.10. Multiple API endpoints build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. Authenticated users can exploit POST /api/getUserDetails and POST /api/getLibrary endpoints to inject arbitrary SQL, enabling full database read access including admin credentials and API keys. The vulnerability escalates to remote code execution through PostgreSQL's COPY TO PROGRAM feature with stacked queries. The PostgreSQL superuser role in the default docker-compose.yml configuration requires no additional privileges for RCE exploitation.

Technical details

Mitigation steps:

Affected products:

Jellystat
Jellyfin

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-41167
https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665
https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page