CVE-2025-64113

CRITICAL

Emby Server < 4.9.1.81 - Unauthenticated Weak Password Recovery Mechanism

Title source: llm

Description

Emby Server is a user-installable home media server. Versions below 4.9.1.81 allow an attacker to gain full administrative access to an Emby Server (for Emby Server administration, not at the OS level). Other than network access, no specific preconditions need to be fulfilled for a server to be vulnerable. This issue is fixed in version 4.9.1.81.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/EmbySupport/Emby.Security/security/advisories/GHSA-95fv-5gfj-2r84

Scores

CVSS v3 9.8

EPSS 0.0060

EPSS Percentile 44.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-640

Status published

Products (3)

emby/emby 4.9.2.6 beta

emby/emby < 4.9.1.90

nuget/MediaBrowser.Server.Core 0 - 4.9.1.81NuGet

Published Dec 09, 2025

Tracked Since Feb 18, 2026