Plex is starting to enforce its new rules, which prevent users from remotely accessing a personal media server without a subscription fee.
If anyone needs it: https://jellyfin.org/
Why would anyone use Plex over jellyfin anyway? The writing was on the wall years ago.
Jellyfin is notoriously full of security holes. It’s recommended to not expose it to the Internet. It’s also easy easier on Plex, at least until this bullshit, to have a random non-techie family member sign in to your Plex server from anywhere. I never liked Plex and never got into it, but I see why people used to prefer it.
I think Emby is a good middle ground for people looking to jump ship from Plex. But I switched to jellyfin from my lifetime Emby sub because the plug-in community there feels dead and Emby development felt dead in the water.
Please do explain or link sources to what you think are “security holes”.
It has several unsecured endpoints.
https://github.com/jellyfin/jellyfin/issues/5415
If you read the comments the devs know it’s a serious issue but don’t want to break backwards compatibility fixing them. Their solution for now is to warn people of the risks of exposing their instance to the Web. Which I don’t think they’re doing a great job of.
Aside from most of those being “potential issues”, which weren’t proven, the rest are GETs of things that do not need to be secret, things like album art and list of installed plugins. Besides the one plugin issue, which was an actual security issue, which was fixed over a year and a half ago. https://github.com/jellyfin/jellyfin/pull/11436
Contrast that with Plex which has numerous high severity CVEs that include things like remote code execution, directory traversal, and more.
You’re aware those CVEs are only relevant for ancient versions of Plex and were fixed long ago?
They are not marked as resolved.
And you think if Jellyfin were a comparable size, there wouldn’t be just as many or more?
No… because more people would be working on it.
list of installed plugins.
Yeah, as you said, that’s a pretty serious security issue. That’s a data leak that explicitly lays out the shape of your attack surface. It tells the attacker exactly what additional software your server is running and if any of it includes known vulnerabilities, the attacker now knows how to gain access.
That only works if the plugins are somehow accessible through an api controller, which as far as I’m aware, is not how jellyfin plugins work. So no, it wouldn’t increase your attack surface at all.
Skip intro on Apple TV not working on Jellyfin is probably the #1 reason I do not use it.
When tvOS 26.2 comes out I will tentatively test Jellyfin + Infuse, but until then, Jellyfin is a non-starter for me.
But I use Emby over Plex so still not using Plex.
