CVE-2020-26948

CRITICAL EXPLOITED NUCLEI

Emby SSRF HTTP Scanner

Title source: metasploit

Exploitation Summary

CVE-2020-26948 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits, including a Metasploit module auxiliary/scanner/http/emby_version_ssrf. A Nuclei detection template is also available.

AI-analyzed exploit summary This Metasploit module scans for Emby Media Server versions and checks for vulnerability to CVE-2020-26948 (SSRF). It retrieves version and local address information via an HTTP request to the '/System/Info/Public' endpoint.

Description

Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.

Exploits (2)

metasploit SCANNER

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/emby_version_ssrf.rb

View Code ZIP pw:eip

This Metasploit module scans for Emby Media Server versions and checks for vulnerability to CVE-2020-26948 (SSRF). It retrieves version and local address information via an HTTP request to the '/System/Info/Public' endpoint.

Classification

Scanner 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Emby Media Server < 4.5.0

No auth needed

Prerequisites: Network access to the Emby server (default port 8096)

MITRE ATT&CK

T1082 - System Information Discovery

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit SCANNER

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/emby_ssrf_scanner.rb

View Code ZIP pw:eip

This Metasploit auxiliary module scans for SSRF vulnerabilities in Emby servers (CVE-2020-26948) by sending crafted HTTP requests to internal network resources. It retrieves server headers, titles, and location headers to identify exposed services.

Classification

Scanner 100%

Attack Type

Ssrf

Complexity

Trivial

Reliability

Reliable

Target: Emby Server

No auth needed

Prerequisites: Access to the Emby server's web interface

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Emby < 4.5.0 - Server Server-Side Request Forgery

CRITICALby dwisiswant0

Shodan: http.title:"emby"

FOFA: title="emby"

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/btnz-k/emby_ssrf

View Writeup ZIP pw:eip

Broken Link, Third Party Advisory x_refsource_misc

https://github.com/btnz-k/emby_ssrf/blob/master/emby_scan.rb

Scores

CVSS v3 9.8

EPSS 0.8636

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-11-18

CWE

CWE-918

Status published

Products (1)

emby/emby < 4.5.0

Published Oct 10, 2020

Tracked Since Feb 18, 2026