CVE-2026-49220 — MEDIUM (5.7)

Vulnerability Description

Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of a logged-in Administrative user, resulting in numerous potential issues. The Client header during an AuthenticateByName can contain arbitrary HTML and Javascript, which will then be executed by the Administrative user when visiting the Access tab of the user in question from within the dashboard. This vulnerability is fixed in 10.11.9.

CVSS Score

5.7

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Related Weaknesses (CWE)

CWE-79

References

https://github.com/jellyfin/jellyfin/security/advisories/GHSA-fv79-gmhx-xh2v

FAQ

What is CVE-2026-49220?

CVE-2026-49220 is a vulnerability with a CVSS score of 5.7 (MEDIUM). Jellyfin is an open source self hosted media server. Prior to 10.11.9, a potential XSS attack exists in Jellyfin which can allow a non-privileged user to execute arbitrary Javascript in the context of...

How severe is CVE-2026-49220?

CVE-2026-49220 has been rated MEDIUM with a CVSS base score of 5.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-49220?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.