CVE-2025-64113

CRITICAL

Nuget Mediabrowser.server.core < 4.9.1.81 - Password Reset Weakness

Title source: rule

Description

Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.

References (1)

[Vendor Advisory] https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84

Scores

CVSS v3 9.8

EPSS 0.0003

EPSS Percentile 6.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-640

Status published

Affected Products (3)

nuget/MediaBrowser.Server.Core < 4.9.1.81NuGet

emby/emby < 4.9.1.90

emby/emby

Timeline

Published Dec 09, 2025

Tracked Since Feb 18, 2026