Overview
CVE-2026-41167 is a critical-severity (CVSS 9.1) SQL injection vulnerability in Jellystat, a free and open-source statistics application for Jellyfin media servers. Published on April 22, 2026, the flaw affects all Jellystat versions prior to 1.1.10.
Multiple API endpoints in Jellystat construct SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings — a textbook SQL injection vulnerability pattern. An authenticated user can inject arbitrary SQL statements through these endpoints, bypassing Jellystat's data access controls and potentially reaching all data stored in the underlying database.
Technical Details
Vulnerable Code Pattern
Jellystat's API routes build SQL queries using string concatenation or template literals without parameterized queries or prepared statements. When a user submits a request to an affected endpoint, their input is inserted directly into the SQL string:
// Vulnerable pattern (illustrative)
const query = `SELECT * FROM users WHERE username = '${req.body.username}'`;An attacker can inject SQL syntax to modify the query's logic, escape the intended query, or execute additional statements.
Affected Endpoints
The confirmed affected endpoint includes:
POST /api/getUserDetails— accepts user-controlled fields in the request body that are interpolated directly into SQL
Additional endpoints in the Jellystat API were found to share the same pattern, expanding the attack surface beyond a single route.
Impact
A successful SQL injection via these endpoints can allow an authenticated attacker to:
- Dump the entire Jellystat database — including user accounts, watch history, playback statistics, and session data
- Modify or delete records — corrupting statistics or manipulating user data
- Potentially access Jellyfin server credentials or API tokens stored in the Jellystat database
- Escalate privileges within Jellystat by modifying user role assignments in the database
Affected Versions
| Software | Affected Versions |
|---|---|
| Jellystat | All versions prior to 1.1.10 |
CVSS Score Breakdown
| Metric | Value |
|---|---|
| Base Score | 9.1 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (Authenticated) |
| User Interaction | None |
| Scope | Changed |
| CWE | CWE-89 (SQL Injection) |
Patch & Mitigation
Patch: Upgrade to Jellystat version 1.1.10 or later. The fix replaces raw SQL string interpolation with parameterized queries across affected endpoints.
Immediate mitigations for unpatched instances:
- Upgrade to 1.1.10 immediately — Jellystat is available via Docker Hub and GitHub releases.
- Restrict Jellystat access — place the application behind a network firewall or VPN; avoid exposing it directly to the internet.
- Limit user accounts — remove unused or unauthorized Jellystat accounts; apply principle of least privilege.
- Audit your database — review the Jellystat database for signs of unauthorized access or modified records.
- Rotate credentials — if Jellyfin API tokens or other credentials are stored in Jellystat's database, rotate them after patching.
Context: Jellystat Deployments
Jellystat is widely used by self-hosted Jellyfin media server operators to track viewing statistics, user activity, and playback history. Many deployments run inside Docker containers on home servers or small private networks — but instances exposed to the internet (e.g., for remote access) are directly at risk.
The low privileges required (any authenticated user) combined with the network attack vector and low complexity make this vulnerability highly exploitable in environments where multiple users share a Jellystat instance.
Recommendations
All Jellystat operators should upgrade to version 1.1.10 without delay. The authenticated-but-low-privilege requirement is a realistic threat in shared Jellyfin environments where multiple users have accounts. SQL injection at CVSS 9.1 indicates high potential for full database compromise.
If upgrading immediately is not possible, disable internet-facing access to Jellystat and restrict it to internal network use only until the patch is applied.