{"vulnerability": "CVE-2026-8461", "sightings": [{"uuid": "57c738ff-45cf-4efe-98a9-6e3ae1a0b83a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mokwvxbso52s", "content": "CVE-2026-8461 - Heap out-of-bounds write via odd slice_height in FFmpeg MagicYUV decoder\nCVE ID : CVE-2026-8461\n \n Published : June 18, 2026, 11:29 a.m. | 1\u00a0hour, 40\u00a0minutes ago\n \n Description : An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically ...", "creation_timestamp": "2026-06-18T13:33:14.991357Z"}, {"uuid": "322f7116-4897-4765-b4b4-031c3e06dead", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/offseq.bsky.social/post/3movwrv5h7f2m", "content": "CVE-2026-8461: FFmpeg MagicYUV decoder CRITICAL heap bug enables DoS/RCE via crafted AVI/MKV/MOV files. Patch to 8.1.2 immediately. Impacts Jellyfin, Nextcloud, more. https://radar.offseq.com/threat/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video--5ccb783d6ccf419b #OffSeq #FFmpeg #MediaSecurity", "creation_timestamp": "2026-06-22T22:30:16.662594Z"}, {"uuid": "992bf095-8caf-48ee-9c31-81efbc101f85", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://infosec.exchange/users/offseq/statuses/116796123601952586", "content": "FFmpeg MagicYUV decoder CRITICAL heap out-of-bounds bug (CVE-2026-8461): AVI/MKV/MOV files can trigger DoS or RCE in apps like Jellyfin, Nextcloud. Patch to 8.1.2 ASAP. https://radar.offseq.com/threat/ffmpeg-fixes-pixelsmash-flaw-in-widely-used-video--5ccb783d6ccf419b #OffSeq #FFmpeg #CVE20268461 #infosec", "creation_timestamp": "2026-06-22T22:30:19.749236Z"}, {"uuid": "ab701121-57fb-438d-999b-9c1cacd41deb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-8461", "type": "seen", "source": "https://bsky.app/profile/ahmandonk.bsky.social/post/3mowkryxxid2t", "content": "\ud83d\udcf0 FFmpeg Tambal Celah Keamanan PixelSmash pada Video Decoder Populer\n\n\ud83d\udc49 Baca artikel lengkap di sini: https://ahmandonk.com/2026/06/23/ffmpeg-tambal-celah-keamanan-pixelsmash/\n\n#cve-2026-8461 #ffmpeg #jellyfin #keamananSiber #kerentananKeamanan #openSource #pixelsmash #pustakaVideo #rce", "creation_timestamp": "2026-06-23T04:28:14.792594Z"}, {"uuid": "b8084197-a459-41d3-91bd-bbc3978ab6e4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/tugate.ch/post/3mowuobekpb2n", "content": "Foi descoberta uma vulnerabilidade cr\u00edtica, denominada PixelSmash, na biblioteca FFmpeg, que pode permitir a execu\u00e7\u00e3o remota de c\u00f3digo em servidores Jellyfin e causar a nega\u00e7\u00e3o de servi\u00e7o em plataformas como Kodi. A falha, identificada como CVE-2026-8461, recebeu uma pontua\u00e7\u00e3o de gravidade significa", "creation_timestamp": "2026-06-23T07:25:06.864830Z"}, {"uuid": "55ff149a-fc69-43a6-a445-eec88c79be55", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/thedailytechfeed.com/post/3mox2wvzuwz26", "content": "FFmpeg's MagicYUV decoder flaw (CVE-2026-8461) enables remote code execution via crafted media files. Update now. #FFmpeg #Security #CVE20268461 #MagicYUV #RemoteCodeExecution thedailytechfeed.com/critical-ffm...", "creation_timestamp": "2026-06-23T09:17:19.147527Z"}, {"uuid": "0d4aedb9-6ada-4456-8961-04a051e7fc45", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/marcus.mastodon.nickebo.net.ap.brid.gy/post/3moxcgqiftyf2", "content": "If you\u2019re collecting Linux ISOs, have a look at CVE-2026-8461 and patch when a patch is available.", "creation_timestamp": "2026-06-23T11:31:54.485027Z"}, {"uuid": "5f318bfb-7afc-4e26-baee-2f71fcc7dd27", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/suriq.io/post/3moxfixt6jw2l", "content": "A video file your server opens by itself can run an attacker's commands.\n\nPixelSmash (CVE-2026-8461) hits anything built on FFmpeg: Jellyfin, Nextcloud, your own upload pipelines.\n\nUpdate FFmpeg to 8.1.2, then watch for media tools spawning a shell.", "creation_timestamp": "2026-06-23T12:26:22.513077Z"}, {"uuid": "821f11d8-6b0b-4158-826e-9a4ac5ef1c83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://infosec.exchange/users/beyondmachines1/statuses/116798840149721270", "content": "PixelSmash Vulnerability in FFmpeg Enables Remote Code Execution\nFFmpeg version 8.1.2 patches a high-severity heap overflow (CVE-2026-8461) in the MagicYUV decoder that allows attackers to execute arbitrary code via malicious video files. The flaw impacts a wide range of media applications, including Jellyfin and Nextcloud.\n**Update FFmpeg to version 8.1.2 or later immediately to close the PixelSmash flaw (CVE-2026-8461), and update any apps that bundle it like Jellyfin, Nextcloud, Kodi, or OBS. If you can't update right away, restrict file uploads to trusted users only and isolate any servers that automatically scan or process media files.**#cybersecurity #infosec #advisory #vulnerabilityhttps://beyondmachines.net/event_details/pixelsmash-vulnerability-in-ffmpeg-enables-remote-code-execution-p-9-m-z-b/gD2P6Ple2L", "creation_timestamp": "2026-06-23T13:38:48.880693Z"}, {"uuid": "ea67ae6a-d3dd-43b9-ab26-e6714470026c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/mm-ilsoftware-bot.bsky.social/post/3moxkrgsqni2n", "content": "FFmpeg, scoperta la falla PixelSmash: rischio attacchi su Jellyfin, Kodi e Nextcloud\nLa vulnerabilit\u00e0 CVE-2026-8461 nel decoder MagicYUV di...\nhttps://www.ilsoftware.it/ffmpeg-scoperta-la-falla-pixelsmash-rischio-attacchi-su-jellyfin-kodi-e-nextcloud/", "creation_timestamp": "2026-06-23T14:00:35.090788Z"}, {"uuid": "83b99d56-02a9-4ed1-bd62-9b8b97243860", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6h6pk2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:39.457399Z"}, {"uuid": "a9cb67e5-4d39-40fd-8c2d-d9a6c03e8594", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hii22l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:40.275365Z"}, {"uuid": "5b8540ea-4a3c-4065-a0b4-c09da21abaae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hkgk2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:41.140400Z"}, {"uuid": "1a476964-d8af-4186-806e-2849d5679383", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hlfs2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:42.032471Z"}, {"uuid": "e514e46d-c445-4f1c-8495-23487eed2746", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hlft2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:42.854403Z"}, {"uuid": "b2c74d06-cd5b-462b-8eb5-202a6eef8616", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hmf32l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:43.689672Z"}, {"uuid": "1de690d9-f670-4e9a-a238-18f68711c23b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hned2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:44.548665Z"}, {"uuid": "b9877a56-051e-48fd-ac71-1975eb2ba779", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hnef2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:46.203064Z"}, {"uuid": "748ab998-bebf-45e5-98f9-8758b4cf8935", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/sergioiker.bsky.social/post/3moxnj6hnee2l", "content": "2/ \ud83c\udfac PATCH NOW. PixelSmash (CVE-2026-8461, CVSS 8.8) in FFmpeg's video decoder. One malicious AVI/MKV/MOV file can compromise Jellyfin, Kodi, OBS, Emby, Nextcloud. Zero click on home servers. Fix: FFmpeg 8.1.2, released June 17. (JFrog/BleepingComputer)", "creation_timestamp": "2026-06-23T14:49:45.376469Z"}, {"uuid": "7f38a974-219a-42cb-9399-0ed078b05f2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/securitylab-jp.bsky.social/post/3moyq2yopls23", "content": "FFmpeg \u306e MagicYUV\u30c7\u30b3\u30fc\u30c0\u30fc\u306b\u6df1\u523b\u306a\u8106\u5f31\u6027 PixelSmash-CVE-2026-8461\nrocket-boys.co.jp/security-mea...\n\n#\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u5bfe\u7b56Lab #security #securitynews", "creation_timestamp": "2026-06-24T01:08:07.265584Z"}, {"uuid": "9923d8ac-233c-430f-b9eb-05e4ef84d73b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/niiqo.bsky.social/post/3mozp3ef3og2w", "content": "PixelSmash : une faille FFmpeg expose Jellyfin au RCE\n\nwww.it-connect.fr/pixelsmash-u...\n\nPixelSmash est une faille critique de FFmpeg (CVE-2026-8461) permettant d'ex\u00e9cuter du code \u00e0 distance sur un serveur Jellyfin via un simple fichier vid\u00e9o pi\u00e9g\u00e9.\n\nLe post PixelSmash : une faille FFmp\u2026", "creation_timestamp": "2026-06-24T10:23:05.659368Z"}, {"uuid": "ca4465ef-2f93-41ed-bfcf-d017435f84b6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/securityrss.bsky.social/post/3mp2hd3u43l2q", "content": "A critical vulnerability, CVE-2026-8461 (\"PixelSmash\"), in FFmpeg's MagicYUV decoder allows remote code execution via crafted media files. The flaw, with a CVSS score of 8.8, affects applications like Kodi and Jellyfin, enabling attackers to exploit the bug through media file uploads.", "creation_timestamp": "2026-06-24T17:36:55.452364Z"}, {"uuid": "c591dca3-d64a-41dc-bcee-3df97e422e33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3mp2j3hfug4n2", "content": "PixelSmash flaw turns video files into attack tools Researchers have found a critical FFmpeg flaw that could let attackers use a malicious video file to compromise vulnerable systems. A newly disco...\n\n#Bugs #News #CVE-2026-8461 #ffmpeg #MagicYUV\n\nOrigin | Interest | Match", "creation_timestamp": "2026-06-24T18:08:30.237137Z"}, {"uuid": "1a1b4672-0df4-44bd-83de-0a9d8baec957", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-8461", "type": "seen", "source": "https://bsky.app/profile/undercodenews.bsky.social/post/3mp2jk54sbh2c", "content": "PixelSmash CVE-2026-8461: The Tiny Video File Flaw That Could Give Attackers Control Over FFmpeg Systems +\u00a0Video\n\nIntroduction: When a Simple Video Preview Becomes a Security Threat Modern technology depends heavily on invisible software layers that most users never notice. Every time a computer\u2026", "creation_timestamp": "2026-06-24T18:16:35.843454Z"}]}