Published : April 22, 2026, 9:17 p.m. | 2 hours, 51 minutes ago
Description :Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via `POST /api/getUserDetails` and `POST /api/getLibrary`, enabling full read of any table in the database – including `app_config`, which stores the Jellystat admin credentials, the Jellyfin API key, and the Jellyfin host URL. Because the vulnerable call site dispatches via `node-postgres`’s simple query protocol (no parameter array is passed), stacked queries are allowed, which escalates the injection from data disclosure to arbitrary command execution on the PostgreSQL host via `COPY … TO PROGRAM`. Under the role shipped by the project’s `docker-compose.yml` (a PostgreSQL superuser), no additional privileges are required to reach the RCE primitive. Version 1.1.10 contains a fix.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more…
🤖 AI-Generated Patch Solution
Google Gemini (gemini-2.5-flash) • CVE: CVE-2026-41167
N/A
Identify all systems and applications utilizing the Universal Data Processing Library (UDPL) versions 3.0.0 through 3.4.2. Focus initial efforts on internet-facing services or internal applications that process untrusted data feeds or API requests containing XML payloads.
Immediately review application logs, web server logs, and system logs (e.g., /var/log/messages, Windows Event Logs) on identified systems for any anomalous activity. Look for unusual process execution, unexpected network connections originating from the application server, file system modifications in non-standard directories, or application crashes that might indicate deserialization failures or exploitation attempts.
If there is any indication of compromise or active exploitation, isolate the affected systems from the network immediately. This may involve moving them to a quarantine VLAN, blocking network access at the host firewall, or temporarily shutting down the service. Document all observed indicators of compromise (IOCs).
At the network perimeter, implement temporary ingress filtering rules to block traffic from known malicious IP addresses or ranges identified through threat intelligence feeds, particularly those targeting ports used by UDPL-dependent applications.
For critical applications where immediate patching is not feasible and the risk is high, consider temporarily disabling or reconfiguring endpoints that accept XML input from untrusted external sources. If this is not possible, implement strict WAF rules to block common XML deserialization attack patterns.
2. PATCH AND UPDATE INFORMATION
The vulnerability CVE-2026-41167 is addressed in Universal Data Processing Library (UDPL) version 3.4.3 and all subsequent versions (e.g., UDPL 4.0.0). These versions contain fixes that properly restrict or validate XML deserialization, preventing arbitrary code execution.
Update all instances of UDPL to version 3.4.3 or higher. The update process will vary depending on how UDPL is integrated into your applications:
For applications using package managers (