QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-64178

Back to search

CVE-2025-64178

Published: Nov 6, 2025

Modified: Nov 7, 2025

PUBLISHED

Description

Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.

VendorProductVersions

jon4hz

jellysweep

affected
< 0.13.0

Weaknesses (CWE)

CWE-918

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now