Search criteria
2 vulnerabilities by CyferShepard
CVE-2026-41167 (GCVE-0-2026-41167)
Vulnerability from cvelistv5 – Published: 2026-04-22 20:39 – Updated: 2026-04-23 13:46
VLAI
Title
Jellystat has SQL Injection that leads to to Remote Code Execution
Summary
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
Severity
9.1 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/CyferShepard/Jellystat/securit… | x_refsource_CONFIRM |
| https://github.com/CyferShepard/Jellystat/commit/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CyferShepard | Jellystat |
Affected:
< 1.1.10
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41167",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T13:45:57.789345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T13:46:23.680Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jellystat",
"vendor": "CyferShepard",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`\u0027s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project\u0027s `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T20:39:31.044Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"
},
{
"name": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665"
}
],
"source": {
"advisory": "GHSA-fj7c-2p5q-g56m",
"discovery": "UNKNOWN"
},
"title": "Jellystat has SQL Injection that leads to to Remote Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41167",
"datePublished": "2026-04-22T20:39:31.044Z",
"dateReserved": "2026-04-17T16:34:45.525Z",
"dateUpdated": "2026-04-23T13:46:23.680Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24960 (GCVE-0-2025-24960)
Vulnerability from cvelistv5 – Published: 2025-02-03 20:40 – Updated: 2025-02-12 20:51
VLAI
Title
Missing Input validation for filename in backups endpoint in Jellystat
Summary
Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Severity
8.7 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/CyferShepard/Jellystat/securit… | x_refsource_CONFIRM |
| https://github.com/CyferShepard/Jellystat/pull/303 | x_refsource_MISC |
| https://cwe.mitre.org/data/definitions/22.html | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CyferShepard | Jellystat |
Affected:
< 1.1.3
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24960",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-03T21:14:57.006871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:51:26.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Jellystat",
"vendor": "CyferShepard",
"versions": [
{
"status": "affected",
"version": "\u003c 1.1.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE` `files/:filename` can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-03T20:40:50.403Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-6x46-6w9f-ffv6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-6x46-6w9f-ffv6"
},
{
"name": "https://github.com/CyferShepard/Jellystat/pull/303",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/CyferShepard/Jellystat/pull/303"
},
{
"name": "https://cwe.mitre.org/data/definitions/22.html",
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/22.html"
}
],
"source": {
"advisory": "GHSA-6x46-6w9f-ffv6",
"discovery": "UNKNOWN"
},
"title": "Missing Input validation for filename in backups endpoint in Jellystat"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-24960",
"datePublished": "2025-02-03T20:40:50.403Z",
"dateReserved": "2025-01-29T15:18:03.209Z",
"dateUpdated": "2025-02-12T20:51:26.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}