CVE-2020-26948
published 2020-10-10CVE-2020-26948: Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.15%
99.7th percentile
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| emby | emby | < 4.5.0 | 4.5.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP GET requests to the Emby endpoint /Items/RemoteSearch/Image with a user-supplied ImageURL parameter pointing to internal/non-public addresses, indicating SSRF exploitation attempts. ↗
- →Use the Metasploit auxiliary module emby_ssrf_scanner to detect vulnerable Emby instances; look for scanner activity generating GET requests to Emby servers with SSRF payloads in the ImageURL parameter. ↗
- →Correlate use of emby_version_ssrf scanner (Metasploit) with emby_ssrf_scanner activity; combined use indicates active reconnaissance and exploitation of CVE-2020-26948. ↗
- →Flag HTTP responses with Content-Type 'text/html' or 'application/octet-stream' and HTTP 200 status from the Emby SSRF endpoint, as these indicate successful SSRF data retrieval via the ImageURL parameter.
- ·The vulnerability affects Emby Server versions before 4.5.0 only; instances running 4.5.0 or later are not affected by this SSRF. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cw27-8cg2-49c9: Emby Server before 4
ghsa_unreviewed·2022-05-24
CVE-2020-26948 [CRITICAL] CWE-918 GHSA-cw27-8cg2-49c9: Emby Server before 4
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
VulnCheck
emby emby Server-Side Request Forgery (SSRF)
vulncheck·2020·CVSS 9.8
CVE-2020-26948 [CRITICAL] emby emby Server-Side Request Forgery (SSRF)
emby emby Server-Side Request Forgery (SSRF)
Emby Server before 4.5.0 allows SSRF via the Items/RemoteSearch/Image ImageURL parameter.
Affected: emby emby
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-18&host_type=src&vulnerability=cve-2020-26948; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-21&host_type=src&vulnerability=cve-2020-26948; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-11-22&host_type=src&vulnerability=cve-2020-26948; https://dashboard.shadowserver.org/statistics/honeypot/vulner
No detection rules found.
Nuclei
Jellyfin Security Checks
nuclei·CVSS 9.8
CVE-2020-26948 [CRITICAL] Jellyfin Security Checks
Jellyfin Security Checks
A simple workflow that runs all Jellyfin related nuclei templates on a given target.
Template:
id: jellyfin-workflow
info:
name: Jellyfin Security Checks
author: dwisiswant0
description: A simple workflow that runs all Jellyfin related nuclei templates on a given target.
workflows:
- template: http/technologies/jellyfin-detect.yaml
subtemplates:
- template: http/cves/2020/CVE-2020-26948.yaml
- template: http/cves/2021/CVE-2021-21402.yaml
Metasploit
Emby SSRF HTTP Scanner
metasploit·CVSS 9.8
CVE-2020-26948 [CRITICAL] Emby SSRF HTTP Scanner
Emby SSRF HTTP Scanner
Generates a `GET` request to the provided web servers and executes an SSRF against
the targeted EMBY server. Returns the server header, HTML title attribute and
location header (if set). This is useful for rapidly identifying web applications
on the internal network using the Emby SSRF vulnerability (CVE-2020-26948).
Metasploit
Emby Version Scanner
metasploit·CVSS 9.8
CVE-2020-26948 [CRITICAL] Emby Version Scanner
Emby Version Scanner
This module attempts to identify the version of an Emby Media Server running on a
host. If you wish to see all the information available, set VERBOSE to true. Use in
conjunction with emby_ssrf_scanner to locate devices vulnerable to CVE-2020-26948.
Nuclei
Emby < 4.5.0 - Server Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2020-26948 [CRITICAL] Emby < 4.5.0 - Server Server-Side Request Forgery
Emby Interactsh Server "
- type: word
part: content_type
words:
- "text/html"
- "application/octet-stream"
- type: status
status:
- 200
# digest: 4b0a00483046022100a5baf5418debc43d8df6640c7e53bf40a720d79244b15a06da83bae40674e550022100f645e0be638f9a5044eae76b2fbfc6cb2f9b58984c5eaf91909b93436cfcd9d0:922c64590222798bb761d5b6d8e72950
2020-10-10
Published
Exploited in the wild