Vulnerability Description
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914
- https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56
- https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56
FAQ
What is CVE-2026-41167?
CVE-2026-41167 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directl...
How severe is CVE-2026-41167?
CVE-2026-41167 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-41167?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.