CVE-2026-41167
Published: 22 April 2026
Description
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL…
more
via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
Mitigating Controls (NIST 800-53 r5)AI
Information Input Validation directly prevents SQL injection by requiring validation and sanitization of unsanitized request-body fields interpolated into SQL queries.
Least Privilege mitigates escalation from SQL injection to RCE by restricting the application's PostgreSQL role from superuser privileges, as shipped in the default docker-compose.yml.
Flaw Remediation ensures timely patching of the SQL injection vulnerability fixed in Jellystat version 1.1.10.
Security SummaryAI
CVE-2026-41167 is a SQL injection vulnerability in Jellystat, a free and open-source statistics application for Jellyfin media servers. The flaw affects versions prior to 1.1.10, where multiple API endpoints, including POST /api/getUserDetails and POST /api/getLibrary, construct SQL queries by directly interpolating unsanitized fields from the request body into raw SQL strings using the node-postgres library's simple query protocol. This allows arbitrary SQL injection against the backend PostgreSQL database.
An authenticated user with high privileges can exploit the vulnerability over the network with low complexity. Initial injection enables full read access to any database table, such as app_config, which contains sensitive data like Jellystat admin credentials, Jellyfin API keys, and host URLs. Due to the use of simple queries without parameterization, stacked queries are permitted, escalating the attack to remote code execution on the PostgreSQL host via commands like COPY ... TO PROGRAM. The default PostgreSQL superuser role provided in Jellystat's docker-compose.yml requires no additional privileges for this RCE.
The vulnerability is fixed in Jellystat version 1.1.10, as detailed in the project's GitHub security advisory (GHSA-fj7c-2p5q-g56m) and the patching commit (735fe7c6eb0e3e34e92a8a82fd21914d76693665). Security practitioners should upgrade to the patched version and review database configurations to avoid superuser privileges for application roles. The issue is rated 9.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-89.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in API endpoints enables remote exploitation (T1210), arbitrary reads from database tables including credentials (T1213.006), and RCE on PostgreSQL host via stacked queries and COPY TO PROGRAM for Unix shell execution (T1059.004).