lufinkey/vulnerability-research

lufinkey/vulnerability-research

Releases0

Stars1

Collection of CVEs that i've discovered

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2025-69416 ↗	Jan 2, 2026Friday, 2 January 2026, 17:16	5 MEDIUM	—
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
CVE-2025-69417 ↗	Jan 2, 2026Friday, 2 January 2026, 17:16	5 MEDIUM	—
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
CVE-2025-69414 ↗	Jan 2, 2026Friday, 2 January 2026, 17:16	8.5 HIGH	—
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
CVE-2025-69415 ↗	Jan 2, 2026Friday, 2 January 2026, 17:16	7.1 HIGH	—
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
CVE-2025-34158 ↗	Aug 21, 2025Thursday, 21 August 2025, 14:15	8.5 HIGH	—
Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and a /api/resources call reveals other servers accessible by that server owner).