Emby
Emby is a personal media server application that allows users to organize, stream, and manage their own video, music, and photo collections across devices. It offers a freemium model with basic features free and advanced functionality like hardware transcoding and DVR requiring a paid Emby Premiere subscription.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
Media Browser launched as a fully open-source GPLv2 plugin for Windows Media Center, created by Luke Pulverenti with community contributors. The project had no monetization, no paywalls, and no proprietary components. Minimal enshittification risk existed beyond the inherent lock-in of the Windows Media Center ecosystem and the informal governance structure of a volunteer-driven project.
Media Browser rebranded to Emby and transitioned from a WMC plugin to a standalone client-server media platform. Luke Pulverenti went full-time, and the project introduced a Supporter/Premiere subscription model to fund development. Features like mobile sync and cinema intros became premium-only, establishing the freemium model. The codebase remained mostly open source with the GPLv2 server published on GitHub.
Proprietary binary DLLs were discovered in the GitHub repository that prevented the server from compiling without them, raising GPL violation concerns while Emby still marketed itself as open source. Build scripts were made proprietary, meaning published binaries were non-reproducible. Users discovered persistent mb3admin.com phone-home behavior sending device IDs and account names. Client app repositories began disappearing from GitHub, signaling the coming enclosure.
Version 3.5.3 formally closed the source code, announced casually in a bug report comment rather than through proper disclosure. The Jellyfin fork launched in December 2018 in direct response, with founders citing GPL violations, developer hostility, and code hiding. Emby Server 4.0 followed in January 2019, paywalling hardware-accelerated transcoding behind Premiere. Database schema changes made migration to Jellyfin impossible for anyone on 3.5.3+, creating a permanent switching cost barrier.
Emby settled into a steady cadence of proprietary releases (4.3 through 4.7), adding Live TV performance improvements, .NET 6.0 migration, and platform expansion. The SSRF vulnerability CVE-2020-26948 was disclosed and patched. Pricing remained stable at $119 lifetime. The free tier grew more restrictive as mobile and desktop app playback was limited to one-minute trials without Premiere or an app unlock purchase. Forum moderation drew complaints with reports of paying subscribers being banned while subscriptions continued.
A proxy header spoofing vulnerability known since February 2020 but unpatched in stable releases was exploited at scale, compromising approximately 1,200 Emby servers with credential-harvesting malware. Emby's remote shutdown of affected servers was responsible but also demonstrated the company's ability to remotely disable user-hosted software. The incident exposed the security risks of closed-source software that cannot be independently audited, and the three-year gap between vulnerability disclosure and exploitation highlighted slow patching practices.
CVE-2024-30931, CVE-2025-64113 (CVSS 9.3 Critical), and reports of remote exploits deleting user media drove a rapid escalation in D10 from 5 to 9 between 2023 and 2026. The free tier stabilized somewhat with the December 2024 announcement of free TV playback for five devices, but mobile and smart TV apps still require Premiere or per-app unlocks. The product continues receiving regular updates but the pattern of serious security vulnerabilities in closed-source code persists.
Alternatives
Free, open-source media server forked directly from Emby in 2018 when Emby went closed-source. No premium tier, no paywalls — all features are free. Moderate switch: your media files work as-is, but watch history and metadata require third-party migration tools since direct database import is not supported.
The most popular personal media server with polished apps and easy remote access setup. Free tier is functional but increasingly cluttered with ad-supported streaming content you did not ask for. Plex Pass ($5/month or $120 lifetime) unlocks hardware transcoding and other features. Has its own enshittification trajectory.
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (40 events)
Media Browser Project Launched as WMC Plugin
Luke Pulverenti initiated Media Browser as an open-source plugin for Windows Media Center, providing a user-friendly interface for organizing personal digital media collections. The project was released under GPLv2 and attracted community contributors over the following years.
Media Browser 3 Client-Server Architecture Introduced
After Windows 8 dropped Windows Media Center support, Pulverenti reimagined Media Browser with a client-server architecture, transforming it from a WMC plugin into a standalone media server. This was the foundation for what would become Emby, with over a year of intensive development before public release.
Supporter Key System Introduced for Premium Features
Media Browser introduced a 'Supporter' key system allowing donors to access premium plugins and bonus features. This was the first step toward monetization of the formerly free project, though core functionality remained free and the server code stayed open source.
Media Browser Rebranded as Emby
Media Browser was officially rebranded to Emby (sounding like 'MB'), marking a strategic shift from a media center add-on to a full-fledged standalone media server platform. The new name accompanied a redesigned website at emby.media and expanded cross-platform client support.
Emby 3.0 Released with Standalone Server Architecture
Version 3.0.5572 launched Emby as a standalone server with web-based management, automatic metadata retrieval, real-time transcoding, and multi-device streaming. The release expanded support beyond video to include photos and music libraries, establishing the feature set that would define the product.
Luke Pulverenti Goes Full-Time on Emby
In a Linux.com interview, founder Luke Pulverenti confirmed he had begun working full-time on Emby earlier in 2015, leaving his healthcare software career. He described Emby as an LLC funded by Supporter memberships and committed to keeping the project open source, stating 'that was the best way for the project to continue moving forward.'
Emby Premiere Subscription Formally Launched
Emby formalized its premium subscription as 'Emby Premiere' with monthly, annual, and lifetime options. A summer 2016 promotion offered lifetime subscriptions at $79.99. Premium features included mobile sync, hardware transcoding, cloud sync, and cinema intros, establishing the freemium model that persists today.
Emby Source Code Found to Contain Proprietary Binary Blobs
Community members discovered that Emby's GitHub repository contained proprietary binary-only DLL files (including Emby.Server.CinemaMode.dll, Emby.Server.Connect.dll, Emby.Server.MediaEncoding.dll, and Emby.Server.Sync.dll) without source code. The server could not compile without these blobs, raising GPL violation concerns while the project still marketed itself as open source.
Build Scripts Made Proprietary, Published Binaries Non-Reproducible
It was discovered that releases published via the Emby website were proprietary and could not be replicated from the public source code because the build scripts were also proprietary. This meant Emby was marketing itself as open source while distributing binaries that no one outside the team could independently build or verify.
Privacy Concerns Raised Over mb3admin.com Tracking
Users discovered that Emby servers regularly communicated with mb3admin.com, sending unique device IDs and user account names. Even with reporting and updating features disabled, dozens of connection attempts to mb3admin.com appeared in logs every minute. The mb3admin.com domain had been operational since 2012, but the extent of data collection was not transparently disclosed.
Client App and Server Code Repositories Gradually Hidden
Emby began systematically removing various extensions and mobile app repositories from public access on GitHub. This progressive closing of previously open code preceded the formal closed-source transition and was later cited by Jellyfin founders as evidence of a deliberate enclosure strategy spanning several years.
Emby Server 3.4 Released with Remote Access Controls
Version 3.4 introduced media conversion features, NVENC hardware transcoding improvements for Linux, and per-user remote access controls. The release also added .strm file resume support and automatic wake-on-recording for Windows. This was the last major feature release before the closed-source transition.
Emby Server 3.5 Released with .NET Core Migration
Version 3.5 updated to .NET Core 2.1.2, ffmpeg 4.0.1, and improved library browsing performance. The release added Western Digital NAS support and a new blue radiance theme. This was the last version to maintain any pretense of open-source availability.
Emby 3.5.3 Goes Fully Closed-Source
Version 3.5.3 was released with the entire server codebase relicensed as proprietary software. Luke Pulverenti announced the change in an offhand comment on a bug report rather than a formal announcement, stating 'we now have additions that are costing us money.' The community was not consulted. Open-source components were moved to standalone plugins only.
Community Coordinates Fork Effort on GitHub
Joshua Boniface opened GitHub Issue #11 titled 'Upstream going closed-source,' documenting 'an extremely stark and chilling attitude from the core developers' and coordinating multiple independent fork efforts. Contributors including nvllsvm (who had maintained emby-unlocked patches), dcrdev, and JustAMan consolidated their work into a single project.
Jellyfin Fork Announced as Free Software Alternative
The Jellyfin project was formally announced, forked from Emby 3.5.2 by co-founders Andrew Rabert and Joshua Boniface. The founders cited GPL violations, hostility toward community contributors, paywalls on formerly free features, and the hiding of client and server code. nvllsvm proposed the name 'JellyFin,' which was adopted. The fork attracted global contributors rapidly.
Emby Forum Discussion Reveals Divided Community
A community forum thread titled 'Emby now closed-source..?' revealed deep divisions. Some users accepted the change given developer dedication, while others felt betrayed for having chosen Emby specifically for its open-source credentials. Critics noted Luke buried the announcement in a bug report comment rather than making a formal disclosure.
Emby Server 4.0 Released with Hardware Transcoding Paywall
The first fully closed-source major release introduced rewritten hardware transcoding supporting QuickSync, Nvidia, DXVA, VAAPI, and MediaCodec. However, hardware-accelerated transcoding was paywalled behind Emby Premiere on all platforms except Nvidia Shield and Western Digital. New live TV guide data and transcoding throttling were also added.
Jellyfin Documents Emby Database Migration Incompatibilities
Jellyfin developers documented that direct database migration from Emby 3.5.3+ was not supported due to schema incompatibilities. Users migrating were advised to start fresh with a new library scan, losing watched status, custom metadata, collections, and playlists. This effectively created a switching cost barrier between the two platforms.
Emby Server 4.2.1 Released
Version 4.2.1 continued iterating on the closed-source 4.x line with bug fixes and improvements. The release cadence demonstrated that Emby maintained active development despite the community split with Jellyfin, though the contributor base was now limited to paid staff rather than the broader open-source community.
Emby Server 4.3 Released with Subtitle Improvements
Version 4.3 brought improvements to subtitle handling, graphical subtitle overlay fixes, library scan path normalization, and various other fixes. The release continued Emby's pattern of incremental improvement on the proprietary codebase.
Emby Server 4.5 Released with Playback Rate Controls
Version 4.5 added adjustable subtitle offset and playback rate in the web player, updated to .NET Core 3.1.7, re-activated HTTP/2 features, and improved Live TV guide scrolling performance. Database and HTTP server performance improvements were also included.
SSRF Vulnerability Disclosed in Emby Server (CVE-2020-26948)
CVE-2020-26948 revealed that Emby Server before 4.5.0 was vulnerable to server-side request forgery via the Items/RemoteSearch/Image ImageURL parameter. The vulnerability allowed attackers to send crafted requests generating connections to malicious servers, potentially leading to data exfiltration and unauthorized access to internal networks.
Emby Server 4.6 Released with Live TV Performance Improvements
Version 4.6 delivered a 70% improvement in xmltv guide data refresh performance (from 2.5 hours to 45 minutes on a 4000-channel guide). Multi-select management features were added to list views. The release reinforced Emby's strength in Live TV/DVR functionality, a key differentiator from Jellyfin.
Emby Server 4.7 Released with .NET 6.0 and ffmpeg 5.0
Version 4.7 brought major framework updates to .NET Core 6.0 and ffmpeg 5.0, adding log anonymization, now-playing screen style options, and playlist import capabilities. The release demonstrated continued technical investment in the proprietary codebase, though the feature gap with Jellyfin continued narrowing.
Paying Subscriber Banned from Emby Forums
A paying Emby Premiere subscriber reported being banned from the support forums while subscription payments continued. The Emby support response was reportedly 'this is not AT&T, we don't have to deal with you.' The user had no alternative channel for support despite maintaining an active paid subscription.
Botnet Attack Compromises 1,200 Emby Servers
Attackers exploited a proxy header spoofing vulnerability (known since February 2020 but unpatched in stable releases) combined with insecure admin configurations to infiltrate approximately 1,200 Internet-exposed Emby servers. The attackers installed a malicious plugin (helper.dll/EmbyHelper.dll) that harvested login credentials of all users who signed into compromised servers.
Emby Remotely Shuts Down 1,200 Compromised Servers
Emby pushed a server update that detected the malicious plugin and prevented affected servers from starting until the plugin was removed. The team described this as shutting down a botnet 'within 60 seconds.' While the remote shutdown was a responsible security response, it also demonstrated that Emby has the technical capability to remotely disable user-hosted servers.
Full Disclosure Security Incident Report Published
Emby published a detailed incident report for the May 2023 botnet attack, explaining the proxy header spoofing vulnerability, the attack vector, and the remediation steps. The disclosure was transparent and comprehensive, demonstrating responsible security incident handling even though the underlying vulnerability had been known for over three years before it was exploited at scale.
Emby Server 4.8 Released
Version 4.8 was released with new features and improvements following the botnet incident. The release included security hardening measures addressing the proxy header vulnerability that had been exploited. The version also introduced new client app development capabilities.
Stored XSS Vulnerability Disclosed (CVE-2024-30931)
CVE-2024-30931 revealed a stored cross-site scripting vulnerability in Emby Server 4.8.3.0 in the notifications.html component. The FriendlyName parameter lacked sufficient validation, allowing attackers to craft payloads that executed when any user viewed notifications. The attack chain could escalate a regular user to platform administrator by stealing admin tokens.
Emby Server 4.8.4.0 Patches XSS Vulnerability
Emby released version 4.8.4.0 to address CVE-2024-30931, adding proper input validation to the notification creation request. The fix was released within approximately two weeks of public disclosure, demonstrating responsive patching for known vulnerabilities.
Emby Theater Discontinued, Replaced by New Windows App
Emby Theater Desktop was discontinued and replaced by a new unified 'Emby' app for Windows and Xbox, combining the best features of the desktop Theater app and the Windows Store version. The new app used MPV player for enhanced video playback. While technically an improvement, the forced migration removed a familiar client that some users preferred.
Free TV Playback for Five Devices Announced
Emby announced free playback for up to five TV devices per server, easing the transition from the old Android TV-only app to the new standard Android app. Emby Premiere device limits were also increased from 25 to 30 (standard), 45 to 50, and 75 to 80 (extended plans). Previously purchased app unlocks continued to be honored.
Remote Access Exploit Reportedly Deleting User Media
Emby community forum reports described a possible remote access exploit that was deleting media from Emby servers. The reports indicated that external attackers were able to access and delete files on user-hosted servers, raising concerns about another security vulnerability in the closed-source codebase.
Remote Code Execution Vulnerability Disclosed (CVE-2025-64325)
CVE-2025-64325 (CVSS 8.4) revealed that a malicious user could send manipulated authentication requests with crafted X-Emby-Client values that were added to the admin dashboard without sanitization. Exploitation could grant attackers persistence on the server machine through malicious scripts with admin permissions. All versions prior to 4.8.1.0 were affected.
Belgium CERT Issues High Severity Warning for Emby
The Belgian Centre for Cybersecurity (CCB) issued a warning about a high-severity remote code execution vulnerability in Emby Server, advising all users to patch immediately. The advisory classified the vulnerability as a significant threat requiring urgent action, marking the first time a national cybersecurity agency issued a specific warning about Emby.
Emby Premiere Lifetime Discounted to $99, Signals Price Increase
Neowin reported that Emby Premiere lifetime was discounted to $99, 'likely the last time price will be so low.' The messaging implied an upcoming permanent price increase for the lifetime tier, which had been at $119 with periodic $99 promotions. This signaled a shift toward extracting more revenue from the subscriber base.
Critical Admin Takeover Vulnerability Disclosed (CVE-2025-64113)
CVE-2025-64113 (CVSS 9.3 Critical) revealed that an attacker could gain full administrative access to any Emby server with no preconditions beyond network access, through a weak password recovery mechanism in the ForgotPassword API. The vulnerability was straightforward to exploit and required no special privileges or user interaction. All versions up to 4.9.1.80 (stable) and 4.9.2.6 (beta) were affected.
Emby Server 4.9.3 Released as Latest Stable
Version 4.9.3.0 was released as the current stable build, with 4.10 entering beta. The release updated Intel drivers on Linux, added user-configurable auto remote quality, and included library and music transcoding fixes. Development continued at a steady pace despite the mounting security vulnerability track record.
Evidence (41 citations)
D1: User Value Erosion
D2: Business Customer Exploitation
D3: Shareholder Extraction
D4: Lock-in & Switching Costs
D5: Twiddling & Algorithmic Opacity
D6: Dark Patterns
D7: Advertising & Monetization Pressure
D8: Competitive Conduct
D9: Labor & Governance
D10: Regulatory & Legal Posture
Scoring Log (4 entries)
Stripped for Phase 2 re-enrichment