Plex Plex

  1. Vendors
  2. Plex

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Plex product.

RSS Feeds for Plex security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Plex products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Plex Sorted by Most Security Vulnerabilities since 2018

Plex Media Server11 vulnerabilities

Plex Media Server Firmware1 vulnerability

Plex Media Server1 vulnerability

Known Exploited Plex Vulnerabilities

The following Plex vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
Plex Media Server Remote Code Execution Vulnerability Plex Media Server contains a remote code execution vulnerability that allows an attacker with access to the server administrator's Plex account to upload a malicious file via the Camera Upload feature and have the media server execute it.
CVE-2020-5741 Exploit Probability: 38.4% 		March 10, 2023

The vulnerability CVE-2020-5741: Plex Media Server Remote Code Execution Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 4 vulnerabilities in Plex with an average score of 6.4 out of ten. Last year, in 2025 Plex had 2 security vulnerabilities published. That is, 2 more vulnerabilities have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 2.10




Year Vulnerabilities Average Score
2026 4 6.40
2025 2 8.50
2024 0 0.00
2023 1 7.50
2022 0 0.00
2021 0 0.00
2020 2 8.00
2019 2 0.00
2018 1 9.80

It may take a day or so for new Plex vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Plex Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2025-69417 Jan 02, 2026
PMS: Non-server Token leaks share tokens via shared_servers In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
CVE-2025-69416 Jan 02, 2026
Plex Media Server Token Disclosure via devices.xml In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
CVE-2025-69415 Jan 02, 2026
Plex Media Server (PMS) <1.42.2.10156 Device Token Validation Flaw In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
Media Server
CVE-2025-69414 Jan 02, 2026
Plex Media Server 1.42.2.10156 Allows Permanent Token Retrieval (CVE-2025-69414) Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
Media Server
CVE-2025-34158 Aug 21, 2025
Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and a /api/resources call reveals other servers accessible by Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and a /api/resources call reveals other servers accessible by that server owner).
Media Server
CVE-2025-34101 Jul 10, 2025
Serviio Media Server 1.4-1.8 CLI Injection via /rest/action (cmd.exe) An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls.
Media Server Firmware
CVE-2021-33959 Jan 18, 2023
Plex Media Server <1.21 DDoS Reflection via Plex Service Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.
Media Server
CVE-2020-5742 Jun 15, 2020
Improper Access Control in Plex Media Server prior to June 15, 2020 Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.
Media Server
CVE-2020-5741 May 08, 2020
Deserialization of Untrusted Data in Plex Media Server on Windows Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
Media Server
CVE-2019-19141 Dec 19, 2019
The Camera Upload functionality in Plex Media Server through 1.18.2.2029 The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex user's home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH.
Media Server
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.