Jellystat, a statistics app for Jellyfin, has an SQL injection vulnerability (CWE-89) in multiple API endpoints prior to version 1.1.10. The flaw arises because these endpoints interpolate unsanitized request-body fields directly into raw SQL queries without parameterization. Specifically, the POST /api/getUserDetails and POST /api/getLibrary endpoints are affected. Due to the use of node-postgres's simple query protocol without parameter arrays, stacked queries are possible, escalating the impact from data disclosure to arbitrary command execution on the PostgreSQL server via the COPY ... TO PROGRAM feature. The default PostgreSQL role shipped with the project's docker-compose.yml is a superuser, so no privilege escalation is required to achieve remote code execution. The vulnerability has a CVSS 3.1 score of 9.1 (critical).

An authenticated attacker can exploit this vulnerability to read any database table, including sensitive configuration data such as admin credentials and API keys. Furthermore, the attacker can execute arbitrary commands on the PostgreSQL host system, effectively gaining remote code execution with superuser privileges. This can lead to full compromise of the Jellystat server and potentially the underlying infrastructure.

Version 1.1.10 of Jellystat contains a fix for this vulnerability. Users should upgrade to version 1.1.10 or later to remediate the issue. Since this is not a cloud service, remediation depends on applying the official fix by upgrading the software. Patch status is not explicitly stated in the vendor advisory, but the description confirms the fix is included in version 1.1.10. Until upgraded, restrict access to authenticated users and consider additional network-level protections to limit exposure.