{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41167", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-04-22T20:39:31.044Z", "dateUpdated": "2026-04-23T13:46:23.680Z"}, "containers": {"cna": {"title": "Jellystat has SQL Injection that leads to to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"}, {"name": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665", "tags": ["x_refsource_MISC"], "url": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665"}], "affected": [{"vendor": "CyferShepard", "product": "Jellystat", "versions": [{"version": "< 1.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:39:31.044Z"}, "descriptions": [{"lang": "en", "value": "Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix."}], "source": {"advisory": "GHSA-fj7c-2p5q-g56m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T13:45:57.789345Z", "id": "CVE-2026-41167", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:46:23.680Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41167", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T16:34:45.525Z", "datePublished": "2026-04-22T20:39:31.044Z", "dateUpdated": "2026-04-23T13:46:23.680Z"}, "containers": {"cna": {"title": "Jellystat has SQL Injection that leads to to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"}, {"name": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665", "tags": ["x_refsource_MISC"], "url": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665"}], "affected": [{"vendor": "CyferShepard", "product": "Jellystat", "versions": [{"version": "< 1.1.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-22T20:39:31.044Z"}, "descriptions": [{"lang": "en", "value": "Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix."}], "source": {"advisory": "GHSA-fj7c-2p5q-g56m", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41167", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-23T13:45:57.789345Z"}}}], "references": [{"url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T13:46:19.430Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix."}], "id": "CVE-2026-41167", "lastModified": "2026-04-29T20:46:33.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T21:17:09.303", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/CyferShepard/Jellystat/commit/735fe7c6eb0e3e34e92a8a82fd21914d76693665"}, {"source": "security-advisories@github.com", "url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-fj7c-2p5q-g56m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Jellystat", "source": "cna", "vendor": "CyferShepard"}, "product": "jellystat", "vendor": "cyfershepard"}], "analysis": {"en": {"generated_at": "2026-04-27T08:25:14.184851+00:00", "value": {"mitigation_remediation": ["Upgrade Jellystat to version 1.1.10 or newer, which sanitizes input and removes the vulnerable endpoints.", "If upgrading immediately is not possible, restrict or block POST requests to /api/getUserDetails and /api/getLibrary from untrusted clients, or require additional authorization checks before allowing these requests.", "Reconfigure the PostgreSQL service so the application connects as a non\u2011superuser with limited privileges, ensuring that even if an injection occurs it cannot reach the COPY \u2026 TO PROGRAM command."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Jellystat from CyferShepard. Versions prior to 1.1.10 are vulnerable; all releases before the 1.1.10 release contain the flaw.", "description_and_impact": "Jellystat builds SQL queries by directly interpolating unsanitized request-body fields into raw SQL strings for the endpoints POST /api/getUserDetails and POST /api/getLibrary. An attacker who authenticates to the application can inject arbitrary SQL, read every table\u2014including app_config where administrator credentials, API keys, and host URLs are stored\u2014 and, because the query is executed via node-postgres' simple query protocol, use stacked statements such as COPY ... TO PROGRAM to execute commands on the PostgreSQL host. With the role used in the provided docker-compose.yml, the database user is a superuser, so no additional privileges are required for the privilege escalation to remote code execution.", "risk_and_exploitability": "The CVSS score of 9.1 indicates a high severity vulnerability, and the flaw can lead to full server compromise through the database. While an EPSS score is not available, the vulnerability exists in open\u2011source code that is publicly accessible, making exploitation more likely. The flaw is not listed in CISA\u2019s KEV catalog. The attack vector is remote and requires the attacker to be able to authenticate and submit POST requests to the vulnerable routes. Once authenticated, the attacker can read sensitive data, access admin credentials, and ultimately run arbitrary commands on the host system."}}}}, "created": "2026-04-27T18:42:00.080540+00:00", "updated": "2026-04-27T19:53:05.425524+00:00", "vendors": ["cyfershepard", "cyfershepard$PRODUCT$jellystat"]}