CVE-2026-41167: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in CyferShepard Jellystat
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
AI Analysis
Technical Summary
Jellystat, an open-source statistics app for Jellyfin, has a critical SQL injection vulnerability (CVE-2026-41167) in versions before 1.1.10. Multiple API endpoints build SQL queries by directly interpolating unsanitized request-body fields into raw SQL strings. This flaw allows an authenticated user to inject arbitrary SQL commands via POST requests to /api/getUserDetails and /api/getLibrary. Due to the use of node-postgres's simple query protocol without parameterization, stacked queries are permitted, enabling escalation from data disclosure to arbitrary command execution on the PostgreSQL server using the COPY ... TO PROGRAM feature. The default PostgreSQL role in the provided docker-compose.yml is a superuser, so no privilege escalation is needed to achieve remote code execution. The vulnerability is fixed in version 1.1.10.
Potential Impact
An authenticated attacker can exploit this vulnerability to fully read any database table, including sensitive data such as admin credentials and API keys. Furthermore, the attacker can execute arbitrary commands on the PostgreSQL host, leading to full system compromise. The vulnerability is critical with a CVSS 3.1 score of 9.1, reflecting high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Version 1.1.10 of Jellystat contains a fix for this vulnerability. Users should upgrade to version 1.1.10 or later to remediate this issue. No official patch or workaround is indicated beyond upgrading. Since this is not a cloud service, remediation depends on user action to update the software.
CVE-2026-41167: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in CyferShepard Jellystat
Description
Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database - including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`'s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY ... TO PROGRAM`. Under the role shipped by the project's `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Jellystat, an open-source statistics app for Jellyfin, has a critical SQL injection vulnerability (CVE-2026-41167) in versions before 1.1.10. Multiple API endpoints build SQL queries by directly interpolating unsanitized request-body fields into raw SQL strings. This flaw allows an authenticated user to inject arbitrary SQL commands via POST requests to /api/getUserDetails and /api/getLibrary. Due to the use of node-postgres's simple query protocol without parameterization, stacked queries are permitted, enabling escalation from data disclosure to arbitrary command execution on the PostgreSQL server using the COPY ... TO PROGRAM feature. The default PostgreSQL role in the provided docker-compose.yml is a superuser, so no privilege escalation is needed to achieve remote code execution. The vulnerability is fixed in version 1.1.10.
Potential Impact
An authenticated attacker can exploit this vulnerability to fully read any database table, including sensitive data such as admin credentials and API keys. Furthermore, the attacker can execute arbitrary commands on the PostgreSQL host, leading to full system compromise. The vulnerability is critical with a CVSS 3.1 score of 9.1, reflecting high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
Version 1.1.10 of Jellystat contains a fix for this vulnerability. Users should upgrade to version 1.1.10 or later to remediate this issue. No official patch or workaround is indicated beyond upgrading. Since this is not a cloud service, remediation depends on user action to update the software.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-17T16:34:45.525Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e9371d19fe3cd2cdefb1ec
Added to database: 4/22/2026, 9:01:17 PM
Last enriched: 4/22/2026, 9:16:05 PM
Last updated: 4/22/2026, 11:23:24 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.