CVE-2025-64113

CRITICAL

Nuget Mediabrowser.server.core < 4.9.1.81 - Password Reset Weakness

Title source: rule

Description

Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.

References (1)

[Vendor Advisory] https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84

Scores

CVSS v3 9.8

EPSS 0.0003

EPSS Percentile 8.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-640

Status published

Products (3)

emby/emby 4.9.2.6 beta

emby/emby < 4.9.1.90

nuget/MediaBrowser.Server.Core 0 - 4.9.1.81NuGet

Published Dec 09, 2025

Tracked Since Feb 18, 2026