CVE-2025-69416

Published January 2nd, 2026

View on NVD ↗

CVSS v3

MEDIUM

CVSS v2

N/A

Affected

PROJECT

Description

In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.

lufinkey/vulnerability-research

Collection of CVEs that i've discovered

GitHub