Jellyfin disclosed CVE-2026-48793, a high-severity flaw affecting versions earlier than 10.11.10, in which subtitle conversion code passes an unescaped subtitle file path into FFmpeg command-line arguments. On Linux, a specially crafted subtitle filename containing double quotes can break argument quoting and inject arbitrary FFmpeg options through SubtitleEncoder.ConvertTextSubtitleToSrtInternal, exposing a vulnerability class previously seen in related Jellyfin issues.
The vulnerable code path is reachable without authentication through SubtitleController.GetSubtitle, and an attacker who can place a file in a Jellyfin media library directory—such as through a shared NAS, Samba share, or guest upload workflow—could trigger arbitrary file write on the server and information disclosure. The issue carries a CVSS v3.1 score of 8.8, was reported by Alister MacCormack, and has been fixed in Jellyfin 10.11.10; administrators are advised to upgrade and restrict untrusted file placement in media library paths.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-48793 was published as a high-severity Jellyfin vulnerability with a CVSS v3.1 score of 8.8. The CVE describes unauthenticated reachability through SubtitleController.GetSubtitle and notes that attackers able to place files in a media library directory may achieve arbitrary file write and information disclosure.
Jellyfin disclosed a security advisory for a potential FFmpeg argument injection vulnerability affecting versions earlier than 10.11.10 and stated the issue was fixed in version 10.11.10. The flaw involved unescaped subtitle file paths in the subtitle conversion code path and could allow arbitrary FFmpeg argument injection on Linux.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.