{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-09T23:51:24.198","vulnerabilities":[{"cve":{"id":"CVE-2026-31852","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T17:16:58.600","lastModified":"2026-03-20T16:39:05.340","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions (nearly all write permissions), this vulnerability enables full repository takeover of jellyfin/jellyfin-ios, exfiltration of highly privileged secrets, Apple App Store supply chain attack, GitHub Container Registry (ghcr.io) package poisoning, and full jellyfin organization compromise via cross-repository token usage. Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."},{"lang":"es","value":"Jellyfin es un sistema multimedia de código abierto. El flujo de trabajo de GitHub Actions 'code-quality.yml' en jellyfin/jellyfin-ios es vulnerable a la ejecución de código arbitrario a través de solicitudes de extracción (pull requests) de repositorios bifurcados. Debido a los permisos elevados del flujo de trabajo (casi todos los permisos de escritura), esta vulnerabilidad permite la toma de control completa del repositorio jellyfin/jellyfin-ios, la exfiltración de secretos altamente privilegiados, un ataque a la cadena de suministro de la Apple App Store, el envenenamiento de paquetes del GitHub Container Registry (ghcr.io) y el compromiso completo de la organización jellyfin a través del uso de tokens entre repositorios. Nota: Esto no es una vulnerabilidad de código, sino una vulnerabilidad en los flujos de trabajo de GitHub Actions. No se requiere una nueva versión para esta GHSA y los usuarios finales no necesitan tomar ninguna medida."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":10.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":9.8,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-269"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:jellyfin:jellyfin:-:*:*:*:*:*:*:*","matchCriteriaId":"F93B191D-575B-4255-9BB5-711F03BABB00"}]}]}],"references":[{"url":"https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}