{"id":"CVE-2026-49247","summary":"Jellyfin: Potential Authenticated path traversal in /ClientLog/Document","details":"Jellyfin is an open source self hosted media server. From 10.9.0 until 10.11.10, the POST /ClientLog/Document endpoint accepts the Authorization header's Client and Version fields and uses them unsanitized as components of the on-disk filename when persisting client-uploaded log documents. As a result, any authenticated non-admin user can include ../ sequences in the Client field to cause Jellyfin to write attacker-controlled content to arbitrary paths reachable by the Jellyfin service user, with a forced .log suffix. This vulnerability is fixed in 10.11.10.","aliases":["GHSA-jg92-mrxq-vv75"],"modified":"2026-06-27T11:55:26.779578085Z","published":"2026-06-24T18:18:46.137Z","database_specific":{"cwe_ids":["CWE-22"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49247.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/49xxx/CVE-2026-49247.json"},{"type":"ADVISORY","url":"https://github.com/jellyfin/jellyfin/security/advisories/GHSA-jg92-mrxq-vv75"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-49247"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jellyfin/jellyfin","events":[{"introduced":"327f92bb2e26cf058a14e7eff34ed2798dc8fc0d"},{"fixed":"4b4b4cd94d8d3fe20b2b2b576edbc5cfa933fe07"}],"database_specific":{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"10.9.0"},{"fixed":"10.11.10"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-49247.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}