CVE-2026-27707

HIGH
中文标题:
(暂无数据)
英文标题:
Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting i
CVSS分数: 7.3
发布时间: 2026-02-27 20:21:38
漏洞类型: (暂无数据)
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v1
漏洞描述
中文描述:

(暂无数据)

英文描述:

Seerr is an open-source media request and discovery manager for Jellyfin, Plex, and Emby. Starting in version 2.0.0 and prior to version 3.1.0, an authentication guard logic flaw in `POST /api/v1/auth/jellyfin` allows an unauthenticated attacker to register a new Seerr account on any Plex-configured instance by authenticating with an attacker-controlled Jellyfin server. The attacker receives an authenticated session and can immediately use the application with default permissions, including the ability to submit media requests to Radarr/Sonarr. Any Seerr deployment where all three of the following are true may be vulnerable: `settings.main.mediaServerType` is set to `PLEX` (the most common deployment).; `settings.jellyfin.ip` is set to `""` (default, meaning Jellyfin was never configured); and `settings.main.newPlexLogin` is set to `true` (default). Jellyfin-configured and Emby-configured deployments are not affected. Version 3.1.0 of Seerr fixes this issue.

CWE类型:
CWE-288 CWE-807
标签:
(暂无数据)
受影响产品
暂无受影响产品信息
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
security-advisories@github.com OTHER
nvd.nist.gov
访问
security-advisories@github.com OTHER
nvd.nist.gov
访问
security-advisories@github.com OTHER
nvd.nist.gov
访问
CVSS评分详情
7.3
HIGH
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS版本: 3.1
机密性
LOW
完整性
LOW
可用性
LOW
时间信息
发布时间:
2026-02-27 20:21:38
修改时间:
2026-02-27 20:21:38
创建时间:
2026-02-28 06:00:02
更新时间:
2026-03-03 06:00:02
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
NVD nvd_CVE-2026-27707 2026-02-28 02:00:05 2026-02-27 22:00:02
版本与语言
当前版本: v1
主要语言: EN
支持语言:
EN
安全公告
暂无安全公告信息
变更历史
暂无变更历史