CVE-2026-41167
Awaiting Analysis Awaiting Analysis - Queue
SQL Injection in Jellystat API Enables Remote Code Execution

Publication date: 2026-04-22

Last updated on: 2026-04-23

Assigner: GitHub, Inc.

Description
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-14
NVD
CVE-2026-41167
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jellystat jellystat to 1.1.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Jellystat, a free and open source Statistics App for Jellyfin, in versions prior to 1.1.10. Multiple API endpoints build SQL queries by directly inserting unsanitized request-body fields into raw SQL strings. An authenticated user can exploit this by injecting arbitrary SQL through the POST /api/getUserDetails and POST /api/getLibrary endpoints.

This SQL injection allows the attacker to read any table in the database, including sensitive tables like app_config, which contains admin credentials, the Jellyfin API key, and the Jellyfin host URL.

Because the vulnerable queries use the node-postgres simple query protocol without parameter arrays, stacked queries are allowed. This escalates the attack from just data disclosure to arbitrary command execution on the PostgreSQL host using the COPY ... TO PROGRAM feature.

Under the default PostgreSQL superuser role shipped with the project's docker-compose.yml, no additional privileges are needed to perform remote code execution (RCE). The issue is fixed in version 1.1.10.

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive data and full system compromise.

  • An attacker can read any database table, exposing sensitive information such as admin credentials and API keys.
  • The vulnerability allows escalation from data disclosure to arbitrary command execution on the database host, potentially leading to full remote code execution.
  • Because the default PostgreSQL role is a superuser, the attacker does not need additional privileges to exploit this vulnerability.

Overall, this can lead to complete compromise of the Jellystat application and the underlying system hosting the database.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade Jellystat to version 1.1.10 or later, as this version contains the fix for the SQL injection and remote code execution issues.

Executive Summary

This vulnerability exists in Jellystat, a free and open source Statistics App for Jellyfin, in versions prior to 1.1.10. Multiple API endpoints build SQL queries by directly inserting unsanitized request-body fields into raw SQL strings. An authenticated user can exploit this by injecting arbitrary SQL through the POST /api/getUserDetails and POST /api/getLibrary endpoints.

Because the queries use the simple query protocol of node-postgres without parameterization, stacked queries are allowed. This means the attacker can escalate from just reading data to executing arbitrary commands on the PostgreSQL host using the COPY ... TO PROGRAM feature.

The default PostgreSQL role shipped with the project's docker-compose.yml is a superuser, so no additional privileges are needed to perform remote code execution (RCE). The vulnerability is fixed in version 1.1.10.

Impact Analysis

This vulnerability can have severe impacts including full disclosure of any database table, such as sensitive configuration data like admin credentials, Jellyfin API keys, and host URLs.

Beyond data disclosure, an attacker can execute arbitrary commands on the PostgreSQL host system, potentially leading to complete system compromise.

Because the default role is a PostgreSQL superuser, the attacker does not need additional privileges, increasing the risk and ease of exploitation.

Mitigation Strategies

To mitigate this vulnerability, upgrade Jellystat to version 1.1.10 or later, as this version contains the fix for the SQL injection and remote code execution issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41167. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart