Vulnerability Details CVE-2025-69416
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.003
EPSS Ranking 19.0%
CVSS Severity
CVSS v3 Score 5.0
Products affected by CVE-2025-69416
-
cpe:2.3:a:plex:media_server:-
-
cpe:2.3:a:plex:media_server:0.9.9.2
-
cpe:2.3:a:plex:media_server:1.13.2.5154
-
cpe:2.3:a:plex:media_server:1.18.2.2029
-
cpe:2.3:a:plex:media_server:1.18.2.2029-36236cc4c
-
cpe:2.3:a:plex:media_server:1.19.1.2701
-
cpe:2.3:a:plex:media_server:1.19.3
-
cpe:2.3:a:plex:media_server:1.21
-
cpe:2.3:a:plex:media_server:1.24.4.5081
-
cpe:2.3:a:plex:media_server:1.25.0.5282
-
cpe:2.3:a:plex:media_server:1.42.0.9975
-
cpe:2.3:a:plex:media_server:1.42.1.10054
-
cpe:2.3:a:plex:media_server:1.42.1.10060
-
cpe:2.3:a:plex:media_server:1.42.2.10122
-
cpe:2.3:a:plex:media_server:1.42.2.10156
-
cpe:2.3:a:plex:media_server:1.43.0.10162
-
cpe:2.3:a:plex:media_server:1.43.0.10231
-
cpe:2.3:a:plex:media_server:1.43.0.10346
-
cpe:2.3:a:plex:media_server:1.43.0.10389