CVE-2026-41167
SQL Injection in Jellystat API Enables Remote Code Execution
Publication date: 2026-04-22
Last updated on: 2026-04-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jellystat | jellystat | to 1.1.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Jellystat, a free and open source Statistics App for Jellyfin, in versions prior to 1.1.10. Multiple API endpoints build SQL queries by directly inserting unsanitized request-body fields into raw SQL strings. An authenticated user can exploit this by injecting arbitrary SQL through the POST /api/getUserDetails and POST /api/getLibrary endpoints.
This SQL injection allows the attacker to read any table in the database, including sensitive tables like app_config, which contains admin credentials, the Jellyfin API key, and the Jellyfin host URL.
Because the vulnerable queries use the node-postgres simple query protocol without parameter arrays, stacked queries are allowed. This escalates the attack from just data disclosure to arbitrary command execution on the PostgreSQL host using the COPY ... TO PROGRAM feature.
Under the default PostgreSQL superuser role shipped with the project's docker-compose.yml, no additional privileges are needed to perform remote code execution (RCE). The issue is fixed in version 1.1.10.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive data and full system compromise.
- An attacker can read any database table, exposing sensitive information such as admin credentials and API keys.
- The vulnerability allows escalation from data disclosure to arbitrary command execution on the database host, potentially leading to full remote code execution.
- Because the default PostgreSQL role is a superuser, the attacker does not need additional privileges to exploit this vulnerability.
Overall, this can lead to complete compromise of the Jellystat application and the underlying system hosting the database.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade Jellystat to version 1.1.10 or later, as this version contains the fix for the SQL injection and remote code execution issues.
Can you explain this vulnerability to me?
This vulnerability exists in Jellystat, a free and open source Statistics App for Jellyfin, in versions prior to 1.1.10. Multiple API endpoints build SQL queries by directly inserting unsanitized request-body fields into raw SQL strings. An authenticated user can exploit this by injecting arbitrary SQL through the POST /api/getUserDetails and POST /api/getLibrary endpoints.
Because the queries use the simple query protocol of node-postgres without parameterization, stacked queries are allowed. This means the attacker can escalate from just reading data to executing arbitrary commands on the PostgreSQL host using the COPY ... TO PROGRAM feature.
The default PostgreSQL role shipped with the project's docker-compose.yml is a superuser, so no additional privileges are needed to perform remote code execution (RCE). The vulnerability is fixed in version 1.1.10.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full disclosure of any database table, such as sensitive configuration data like admin credentials, Jellyfin API keys, and host URLs.
Beyond data disclosure, an attacker can execute arbitrary commands on the PostgreSQL host system, potentially leading to complete system compromise.
Because the default role is a PostgreSQL superuser, the attacker does not need additional privileges, increasing the risk and ease of exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Jellystat to version 1.1.10 or later, as this version contains the fix for the SQL injection and remote code execution issues.