CVE-2023-33193

CRITICAL EXPLOITED NUCLEI

emby.releases < 4.7.0.12 - HTTP Request Smuggling via Header Spoofing

Title source: llm

Exploitation Summary

CVE-2023-33193 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

Emby Server is a user-installable home media server which stores and organizes a user's media files of virtually any format and makes them available for viewing at home and abroad on a broad range of client devices. This vulnerability may allow administrative access to an Emby Server system, depending on certain user account settings. By spoofing certain headers which are intended for interoperation with reverse proxy servers, it may be possible to affect the local/non-local network determination to allow logging in without password or to view a list of user accounts which may have no password configured. Impacted are all Emby Server system which are publicly accessible and where the administrator hasn't tightened the account login configuration for administrative users. This issue has been patched in Emby Server Beta version 4.8.31 and Emby Server version 4.7.12.

Nuclei Templates (1)

Emby Server - Authentication Bypass

CRITICALVERIFIEDby daffainfo

Shodan: product:"Emby Media Server"

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/EmbySupport/security/security/advisories/GHSA-fffj-6fr6-3fgf

Scores

CVSS v3 9.1

EPSS 0.0171

EPSS Percentile 74.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2023-05-25

CWE

CWE-444

Status published

Products (1)

emby/emby.releases < 4.7.0.12

Published May 30, 2023

Tracked Since Feb 18, 2026