this post was submitted on 01 Apr 2026
709 points (99.0% liked)

Selfhosted

59999 readers
721 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
709
Jellyfin critical security update - This is not a joke (github.com)
submitted 2 months ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world
260 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] kieron115@startrek.website 3 points 2 months ago* (last edited 2 months ago) (2 children)

Sounds like a great reason to use Plex instead!

edit: to add something constructive to my snarky comment, what kind of attack surface are we talkin here? Multiple ports? Lots of separate services running? No authentication?

[–] mic_check_one_two@lemmy.dbzer0.com 7 points 2 months ago (2 children)

There has been a known “anyone can access your media without authentication” vulnerability for seven years and counting, and the Jellyfin devs have openly stated that they have no intentions of fixing it. Because fixing it would require completely divesting from the Enby branch that the entire program is built upon. And they never plan on refactoring that entire thing, so they never plan on fixing the vulnerabilities.

The “don’t expose it to the internet” people aren’t just screaming at clouds. Jellyfin is objectively insecure, and shouldn’t be exposed.

[–] kieron115@startrek.website 3 points 2 months ago* (last edited 2 months ago) (1 children)

Jeez, so it's meant to be a literal home media server. Able, but not designed, to be used for sharing.

[–] mic_check_one_two@lemmy.dbzer0.com 5 points 2 months ago

Exactly. And that’s honestly why I doubt it will ever truly contend with Plex. It’s fine for sharing with friends who can figure out how to connect via VPN, but it’ll never be robust enough to share with your tech-illiterate grandparents on the open internet. Plex wins handily in that regard, because their sign in process is basically the same as Netflix, HBO, Hulu, etc…

Plex has problems of its own, but (at least as of me writing this) it doesn’t have any major known security vulnerabilities. They had some level 10.0 vulnerability last year, but they followed standard CVE protocols and patched it before the vulnerability was actually released.

[–] grrgyle@slrpnk.net 2 points 2 months ago

Ahh bummer. It works so well as a home media server... kind of calls out for sharing.

[–] possiblylinux127@lemmy.zip 5 points 2 months ago (1 children)

Plex has its own set of problems

[–] kieron115@startrek.website 1 points 2 months ago* (last edited 2 months ago)

Sure, but being mostly secure by default isn't one of them. One advantage of running a service that offers optional subscription services is that they can offer security features like built-in SSL and AAA that just work. Any average user can install it and have a reasonably secure service running. Hell, until a few months ago you didn't even need to open a port to have remote access to your content, whether you paid or not. Now they've made that a paid feature though.