CVE-2025-34101 CRITICAL

CVE-2025-34101: Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter

Vendor Serviio

Product Media Server

Weakness CWE-78

Published July 10, 2025

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.

Key dates

02Disclosure timeline

July 10, 2025 CVE published

May 14, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-34101

Related vulnerabilities

CVE-2025-34101: Serviio Media Server Unauthenticated Command Injection via checkStreamUrl VIDEO Parameter

01Description

02Disclosure timeline

03References

04Related CVE