Every CVE whose affected-product data names Plex Media Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2018-13415 — CVSS 9.8 (critical): In Plex Media Server 1.13.2.5154, the XML parsing engine for SSDP/UPnP functionality is vulnerable to an XML External Entity Processing…
CVE-2019-19141 — CVSS 8.8 (high): The Camera Upload functionality in Plex Media Server through 1.18.2.2029 allows remote authenticated users to write files anywhere the user…
CVE-2020-5742 — CVSS 8.8 (high): Improper Access Control in Plex Media Server prior to June 15, 2020 allows any origin to execute cross-origin application requests.
CVE-2025-69414 — CVSS 8.5 (high): Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient…
CVE-2020-5740 — CVSS 7.8 (high): Improper Input Validation in Plex Media Server on Windows allows a local, unauthenticated attacker to execute arbitrary Python code with…
CVE-2014-9304 — CVSS 7.5 (high): Plex Media Server before 0.9.9.3 allows remote attackers to bypass the web server whitelist, conduct SSRF attacks, and execute arbitrary…
CVE-2025-69415 — CVSS 7.1 (high): In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether…
CVE-2021-42835 — CVSS 7.0 (high): An issue was discovered in Plex Media Server through 1.24.4.5081-e362dc1ee. An attacker (with a foothold in a endpoint via a low-privileged…
CVE-2018-21031 — CVSS 6.5 (medium): Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token…
CVE-2025-69417 — CVSS 5.0 (medium): In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for…
CVE-2025-69416 — CVSS 5.0 (medium): In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for…
CVE-2014-9181 — CVSS 5.0 (medium): Multiple directory traversal vulnerabilities in Plex Media Server before 0.9.9.3 allow remote attackers to read arbitrary files via a…