### [CVE-2021-32833](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32833)
![](https://img.shields.io/static/v1?label=Product&message=Emby.Releases&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%204.6.4.0%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-552%20Files%20or%20Directories%20Accessible%20to%20External%20Parties&color=brightgreen)

### Description

Emby Server is a personal media server with apps on many devices. In Emby Server on Windows there is a set of arbitrary file read vulnerabilities. This vulnerability is known to exist in version 4.6.4.0 and may not be patched in later versions. Known vulnerable routes are /Videos/Id/hls/PlaylistId/SegmentId.SegmentContainer, /Images/Ratings/theme/name and /Images/MediaInfo/theme/name. For more details including proof of concept code, refer to the referenced GHSL-2021-051. This issue may lead to unauthorized access to the system especially when Emby Server is configured to be accessible from the Internet.

### POC

#### Reference
- https://securitylab.github.com/advisories/GHSL-2021-051-emby/

#### Github
No PoCs found on GitHub currently.