CVE-2017-20220 HIGH

CVE-2017-20220: Serviio PRO 1.8 Unauthenticated Password Change via REST API

Vendor Serviio
Product Serviio PRO
Weakness CWE-306 · Missing auth
Published March 15, 2026
Last update March 16, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Serviio PRO 1.8 contains an improper access control vulnerability in the Configuration REST API that allows unauthenticated attackers to change the mediabrowser login password. Attackers can send specially crafted requests to the REST API endpoints to modify credentials without authentication.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
March 16, 2026 Record updated