CVE-2025-24960

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-24960
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-24960.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-24960
Aliases
  • GHSA-6x46-6w9f-ffv6
Published
2025-02-03T20:40:50.403Z
Modified
2025-11-30T09:22:48.204376Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
Missing Input validation for filename in backups endpoint in Jellystat
Details

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the DELETE files/:filename can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/24xxx/CVE-2025-24960.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/cyfershepard/jellystat

Affected ranges

Type
GIT
Repo
https://github.com/cyfershepard/jellystat
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d2aed2e0cfb0394f62ae5d6f21d74610d1fc7a61
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.3"
        }
    ]
}

Affected versions

1.*

1.0.8
1.0.9
1.1.0
1.1.1
1.1.2