Home > Vulnerability Database > CVE-2025-24960

Mend.io Vulnerability Database

CVE-2025-24960

Date: February 3, 2025

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the "DELETE" "files/:filename" can be used to delete any file. This issue has been addressed in version 1.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity Score

8.7

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-24960

Url: https://github.com/CyferShepard/Jellystat/security/advisories/GHSA-6x46-6w9f-ffv6

Url: https://cwe.mitre.org/data/definitions/22.html

Url: https://github.com/CyferShepard/Jellystat/pull/303

Url: https://www.mend.io/vulnerability-database/CVE-2025-24960

Severity Score

8.7

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	8.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-24960

Date: February 3, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?