Jellyfin RCE | Inconsistent Validation Leads to Argument Injection

A Jellyfin argument injection vulnerability (CVE-2026-35033) was discovered, allowing unauthenticated attackers to execute arbitrary code on instances prior to version 10.11.7. This vulnerability stems from inconsistent validation, which bypasses regex checks on transcoding options parsed from semicolon-separated query parameters, enabling attackers to manipulate FFmpeg command line arguments. By doing so, attackers can read and write arbitrary files, potentially leading to code execution through the .NET JIT compiler's doublemapper memfd virtual file. The vulnerability highlights the importance of thorough input validation, as inadequate validation can lead to severe security issues. The Jellyfin maintainers quickly addressed this flaw by ensuring consistent regex-based validation for semicolon-separated parameters in version 10.11.7. The blog post underscores the interconnected nature of system security, where even robust components like .NET's JIT compiler can inadvertently introduce attack vectors, and commends the Jellyfin maintainers for their prompt response and effective communication in resolving the issue.