this post was submitted on 11 May 2026
747 points (96.6% liked)

Selfhosted

60426 readers
248 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] ShortN0te@lemmy.ml 1 points 1 month ago

As I said, when you know the exact path of a media item on the server then you can check if the item exists.

If you choose a none standard filepath its not an issue.

Should that be fixed yes.

Whats the scenario? A law firm could brute force check all media items on open jellyfin servers? Highly illegal to exploit something like this in a lot of jurisdiction. And would also not proof the existence of the media on the server, just a file named like it.

Mitigation? Just add another random letter in the docker-compose mount path.