CVE-2025-69415

HIGH

Plex Media Server <1.42.2.10156 - Info Disclosure

Title source: llm

Description

In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.

References (1)

[Various Sources] https://github.com/lufinkey/vulnerability-research/blob/main/CVE-2025-34158/README.md

View Writeup ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-672

Status published

Products (1)

plex/media_server < 1.42.2.10156

Published Jan 02, 2026

Tracked Since Feb 18, 2026