Plex Media Server
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Plex Media Server.
By the Year
In 2026 there have been 2 vulnerabilities in Plex Media Server with an average score of 7.8 out of ten. Last year, in 2025 Media Server had 1 security vulnerability published. That is, 1 more vulnerability have already been reported in 2026 as compared to last year. Last year, the average CVE base score was greater by 0.70
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 2 | 7.80 |
| 2025 | 1 | 8.50 |
| 2024 | 0 | 0.00 |
| 2023 | 1 | 7.50 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 2 | 8.00 |
| 2019 | 2 | 0.00 |
| 2018 | 1 | 9.80 |
It may take a day or so for new Media Server vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Plex Media Server Security Vulnerabilities
Plex Media Server (PMS) <1.42.2.10156 Device Token Validation Flaw
CVE-2025-69415
7.1 - High
- January 02, 2026
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
Operation on a Resource after Expiration or Release
Plex Media Server 1.42.2.10156 Allows Permanent Token Retrieval (CVE-2025-69414)
CVE-2025-69414
8.5 - High
- January 02, 2026
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
AuthZ
Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and a /api/resources call reveals other servers accessible by
CVE-2025-34158
8.5 - High
- August 21, 2025
Plex Media Server (PMS) 1.41.7.x through 1.42.0.x before 1.42.1 is affected by incorrect resource transfer between spheres because /myplex/account provides the credentials of the server owner (and a /api/resources call reveals other servers accessible by that server owner).
Incorrect Resource Transfer Between Spheres
Plex Media Server <1.21 DDoS Reflection via Plex Service
CVE-2021-33959
7.5 - High
- January 18, 2023
Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service.
Origin Validation Error
Improper Access Control in Plex Media Server prior to June 15, 2020
CVE-2020-5742
8.8 - High
- June 15, 2020
Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.
Exposure of Resource to Wrong Sphere
Deserialization of Untrusted Data in Plex Media Server on Windows
CVE-2020-5741
7.2 - High
- May 08, 2020
Deserialization of Untrusted Data in Plex Media Server on Windows allows a remote, authenticated attacker to execute arbitrary Python code.
Marshaling, Unmarshaling
The Camera Upload functionality in Plex Media Server through 1.18.2.2029
CVE-2019-19141
- December 19, 2019
The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user account running the Plex Media Server has permissions. This allows remote code execution via a variety of methods, such as (on a default Ubuntu installation) creating a .ssh folder in the plex user's home directory via directory traversal, uploading an SSH authorized_keys file there, and logging into the host as the Plex user via SSH.
Tautulli versions 2.1.38 and below
CVE-2018-21031
- November 18, 2019
Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: Initially, this id was associated with Plex Media Server 1.18.2.2029-36236cc4c as the affected product and version. Further research indicated that Tautulli is the correct affected product.
In Plex Media Server 1.13.2.5154
CVE-2018-13415
9.8 - Critical
- August 13, 2018
In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing (XXE) attack. Remote, unauthenticated attackers can use this vulnerability to: (1) Access arbitrary files from the filesystem with the same permission as the user account running Plex, (2) Initiate SMB connections to capture a NetNTLM challenge/response and crack to cleartext password, or (3) Initiate SMB connections to relay a NetNTLM challenge/response and achieve Remote Command Execution in Windows domains.
XXE
Plex Media Server before 0.9.9.3
CVE-2014-9304
- December 07, 2014
Plex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arbitrary administrative actions via multiple crafted X-Plex-Url headers to system/proxy, which are inconsistently processed by the request handler in the backend web server.
Permissions, Privileges, and Access Controls
Multiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files via a
CVE-2014-9181
- December 02, 2014
Multiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files via a .. (dot dot) in the URI to (1) manage/ or (2) web/ or remote authenticated users to read arbitrary files via a .. (dot dot) in the URI to resources/.
Directory traversal
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Plex Media Server or by Plex? Click the Watch button to subscribe.
