Media server

This hub aggregates every CVE we track for Media server, a product in the communications space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Media server.

• CVE-2025-69417In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.5.0Jan 2, 2026
• CVE-2025-69416In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.5.0Jan 2, 2026
• CVE-2025-69415In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.7.1Jan 2, 2026
• CVE-2025-69414Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.8.5Jan 2, 2026
• CVE-2025-34158Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and ...8.5Aug 21, 2025
• CVE-2025-49198Poor quality of randomness in authorization tokens3.1Jun 12, 2025
• CVE-2025-49197Deprecated TLS version supported6.5Jun 12, 2025
• CVE-2025-49195No protection against brute-force attacks5.3Jun 12, 2025
• CVE-2025-49194Unencrypted communication7.5Jun 12, 2025
• CVE-2025-49193Missing HTTP Security Headers4.2Jun 12, 2025
• CVE-2025-49192Clickjacking4.3Jun 12, 2025
• CVE-2025-49189Cookie missing HttpOnly flag5.3Jun 12, 2025
• CVE-2025-49186No brute-force protection5.3Jun 12, 2025
• CVE-2025-49183Unencrypted communication (HTTP)7.5Jun 12, 2025
• CVE-2025-49182Credential disclosure7.5Jun 12, 2025