CVE-2026-41167
Published:April 22, 2026
Updated:April 26, 2026
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via "POST /api/getUserDetails" and "POST /api/getLibrary", enabling full read of any table in the database - including "app_config", which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via "node-postgres"'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via "COPY ... TO PROGRAM". Under the role shipped by the project's "docker-compose.yml" (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
Affected Packages
https://github.com/CyferShepard/Jellystat.git (GITHUB):
Affected version(s) >=V1.1.8 <1.1.10Fix Suggestion:
Update to version 1.1.10Related Resources (2)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.1
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
