Jonah

1 exploit Active since Nov 2025
CVE-2025-64178 WRITEUP HIGH WRITEUP
jellysweep < 0.13.0 - Authenticated Server-Side Request Forgery via Image Cache URL Parameter
Jellysweep is a cleanup tool for the Jellyfin media server. In versions 0.12.1 and below, /api/images/cache, used to download media posters from the server, accepted a URL parameter that was directly passed to the cache package, which downloaded the poster from this URL. This URL parameter can be used to make the Jellysweep server download arbitrary content. The API endpoint can only be used by authenticated users. This issue is fixed in version 0.13.0.