How broadly exploitable is this vulnerability in practice?

Exploitation is feasible wherever an attacker can reach the `/Videos/{itemId}/stream` endpoint and obtain a valid `itemId`. While the endpoint does not enforce authorization by default, the need for a valid GUID makes blind exploitation harder, but not impossible if IDs are leaked or guessed.

Does an attacker need authenticated access to exploit this issue?

The streaming endpoint itself does not require authentication, but obtaining the correct `itemId` typically requires authenticated access or another information disclosure path. Once a valid ID is known, no further authentication is required to trigger the argument injection.

What is the safest general fix pattern for this type of bug?

The most robust fix is to eliminate direct string concatenation of user input into command lines, enforce strict whitelists of allowed options, and ensure that all endpoints invoking external tools are protected by authorization. Wrapping ffmpeg invocations in a well-defined interface that only exposes vetted parameters further reduces risk.

Severity:

CRITICAL RISK

(9.1)

Argument Injection (CWE-88) in Jellyfin Streaming ffmpeg Invocation

CVE-2026-35033

Published:

Apr 14, 2026

Status:

Analyzed

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-74;CWE-89

HIGH RISK

HIGH

(7.3)

SQL Injection via Unsanitized ID Parameter (CWE-89) in Pharmacy Sales and Inventory System /ajax.php

Database Compromise and Data Integrity Loss

April 27, 2026

CWE-863

HIGH RISK

HIGH

(8.5)

Incorrect Authorization (CWE-863) in OpenClaw chat.send Session Management

Privilege Escalation and Unauthorized Session Control

April 27, 2026

Vulnerability Type

Category:

Command/Argument Injection

CWE:

CWE-88;CWE-862

Impact:

Arbitrary File Read via Media Stream

Severity:

CRITICAL RISK

(9.1)

CVSS Version:

3.1

Vulnerability Type

Category:

Command/Argument Injection

CWE:

CWE-88;CWE-862

Impact:

Arbitrary File Read via Media Stream

Severity:

CRITICAL RISK

(9.1)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Argument Injection (CWE-88) in Jellyfin Streaming ffmpeg Invocation

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

HIGH RISK

HIGH

(7.3)

SQL Injection via Unsanitized ID Parameter (CWE-89) in Pharmacy Sales and Inventory System /ajax.php

HIGH RISK

HIGH

(8.5)

Incorrect Authorization (CWE-863) in OpenClaw chat.send Session Management

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare