plex

Top products

The 15 most recently published vulnerabilities affecting plex.

• CVE-2025-69417In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.5.0Jan 2, 2026
• CVE-2025-69416In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.5.0Jan 2, 2026
• CVE-2025-69415In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.7.1Jan 2, 2026
• CVE-2025-69414Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.8.5Jan 2, 2026
• CVE-2025-34158Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and ...8.5Aug 21, 2025
• CVE-2021-33959Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.7.5Jan 18, 2023
• CVE-2021-42835An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged user account) can access the exposed RPC service of the u...7.0Dec 8, 2021
• CVE-2020-5742Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.8.8Jun 15, 2020
• CVE-2020-5741Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.KEV7.2May 8, 2020
• CVE-2020-5740Improper Input Validation in Plex Media Server on Windows allows a local, unauthenticated attacker to execute arbitrary Python code with SYSTEM privileges.7.8Apr 22, 2020
• CVE-2019-19141The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. Th...8.8Dec 19, 2019
• CVE-2018-21031Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: In...6.5Nov 18, 2019
• CVE-2018-13415In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this ...9.8Aug 13, 2018
• CVE-2014-9304Plex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arbitrary administrative actions via multiple crafted X-Plex-Url heade...7.5Dec 7, 2014
• CVE-2014-9181Multiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files via a .. (dot dot) in the URI to (1) manage/ or (2) web/ or remote au...5.0Dec 2, 2014