Jellyfin
Jellyfin is a free and open-source media server software that lets users host and stream their personal media collections. Forked from Emby in 2018, it provides a completely free alternative to Plex with no premium features, tracking, or third-party dependencies.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
Jellyfin was forked from Emby's 3.5.2 codebase in December 2018 after Emby went closed-source. The project inherited GPL licensing ambiguity from the mixed-license Emby repository, had no client applications (Emby cut access), and relied on a tiny founding team of volunteers. Early switching costs were higher as migration tools and documentation did not yet exist, and the inherited codebase contained code debt from Emby's compromised open-source practices.
By mid-2020, Jellyfin had shipped five major server releases (10.0-10.6), migrated to .NET Core 3.1, built four client apps from scratch, introduced SyncPlay and third-party plugin support, and established a formal social contract and governance constitution modeled on Debian's. The contributor base grew but remained concentrated among a few individuals. GPL ambiguity persisted, though the project had adopted a clear licensing position. Database portability remained limited but media files stayed fully portable.
Jellyfin 10.7 and 10.8 delivered HDR tone mapping, QuickConnect authentication, comprehensive hardware acceleration across all major GPU vendors, and migration to .NET 6. The Swiftfin iOS app launched on the App Store with 9,000+ TestFlight users. Security vulnerabilities emerged (CVE-2021-21402 arbitrary file read, documented design flaws), though patches were released promptly. The project established NFO metadata standard support for cross-platform interoperability and migration documentation improved.
Jellyfin surpassed Plex with 51.2% self-hosted market share, released three major versions (10.9, 10.10, 10.11) with 1,100+ pull requests, trickplay, HDR/Dolby Vision, EF Core database migration, and backup/restore. The project told donors to stop donating and redirect to client developers. Security response matured with prompt CVE patching, and the 'State of the Fin' blog series launched. Contributor sustainability remains the primary governance concern.
Alternatives
Partially closed-source media server that Jellyfin was forked from in 2018. Offers a similar feature set to Jellyfin with a more polished interface. Emby Premiere required for some features ($4.99/month). If Jellyfin's volunteer-only support model is a concern, Emby provides a commercial alternative with paid support options.
The most popular personal media server with polished apps on every platform, a large community, and cloud-based account features. Core streaming is free; hardware transcoding, mobile sync, and offline downloads require Plex Pass ($4.99/month or $119.99 lifetime). More beginner-friendly than Jellyfin but has been steadily adding ads and monetization to free accounts.
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (25 events)
Jellyfin Forked from Emby After Closed-Source Announcement
Co-founders Andrew Rabert and Joshua Boniface initiated the Jellyfin fork from Emby's 3.5.2 codebase after Emby announced its 4.x release would be closed-source. The fork was motivated by Emby's GPL violations, removal of client app source code, addition of paywalls for free users, and lack of openness to community contributions. The name 'Jellyfin' was conceived by Rabert the following day.
Jellyfin Initial Alpha Release Published
The first Jellyfin release (v3.5.2-5) was made publicly available, directly descended from Emby's last fully open-source version. The release marked the beginning of independent development, though the project started with no clients since Emby had cut access to its client applications.
GPL License Ambiguity from Emby Codebase Identified
Community members identified that the Emby codebase inherited by Jellyfin had ambiguous GPL versioning. The repository contained a mix of GPLv2, GPLv2+, GPLv3, MIT, BSD, and Apache 2-licensed dependencies. Individual files lacked explicit GPL version declarations despite having a GPLv2 file in the LICENSE directory. Jellyfin adopted the position that the code was GPLv2-or-later with GPLv3 binaries.
Jellyfin 10.0 Released with New Version Numbering
Jellyfin released version 10.0.0, establishing its own version numbering scheme separate from Emby. This was the project's first 'real' release, marking the transition from the inherited Emby codebase to an independent project identity. Versions 10.0.0 through 10.1.0 were all released on the same day.
LazyMan Plugin Link Removed Due to Copyright Concerns
Jellyfin removed the link to the third-party LazyMan plugin from its official documentation. LazyMan enabled free streaming of NHL and MLB games, and the project determined that listing it was not in Jellyfin's best interest due to potential copyright issues, mirroring the approach taken by the Kodi team.
First Full Year: Five Major Releases and Four Client Apps
Jellyfin's retrospective documented remarkable first-year growth: five major releases (10.0 through 10.4) with dozens of hotfix revisions, four well-supported client apps (Android, Android TV, Kodi, web) built from scratch after losing access to Emby's clients, over 20 plugins, Docker images with 52+ million pulls, and support for Debian, Ubuntu, Fedora, CentOS, Windows, and macOS.
Jellyfin 10.5 Anniversary Release with .NET Core 3.1 Migration
Version 10.5.0 was released as the first anniversary release with over 200 contributions and 500+ issues closed. The release migrated from .NET Core 2.2 to 3.1, enabling ARM64 Linux support, TLS v1.3 compatibility, and improved garbage collection. Hardware acceleration was expanded with AMD AMF support and full Raspberry Pi hardware encoding.
Jellyfin 10.6 Introduces SyncPlay and Third-Party Plugin Repositories
Version 10.6.0 introduced SyncPlay, allowing multiple users to watch content together in synchronized rooms with millisecond-level delay. The release also added epub ebook support, third-party plugin repository support enabling community-maintained plugins without official repository involvement, and over 500 merged pull requests across server and web client.
Android Client Rewritten from Scratch as Native App
The Jellyfin Android mobile client was completely rewritten, replacing the old Cordova-based wrapper with a native Android implementation. The rewrite began in July 2020 and established a fresh git history, representing a significant investment in the mobile experience and moving away from web-based client architecture.
Jellyfin 10.7 Brings HDR Tone Mapping and QuickConnect
Version 10.7.0 introduced HDR tone mapping for NVIDIA, AMD, and Intel hardware, QuickConnect passwordless authentication for TV devices, SyncPlay for TV shows and music, PDF/comic reader functionality, and migrated from ServiceStack to ASP.NET. TVDB was modularized from core into a separate plugin, establishing a pattern of keeping the core lean.
Security Design Flaws Collection Published on GitHub
A comprehensive collection of potential security issues was published as GitHub issue #5415, documenting design flaws including JavaScript-based client authentication via browser LocalStorage (vulnerable to XSS), unauthenticated video stream endpoints, and API access that could be escalated with any valid user ID plus authentication token. Many issues were flagged for long-term fixing in a future major release.
CVE-2021-21402: Unauthenticated Arbitrary File Read Patched
A critical vulnerability (CVE-2021-21402) was discovered and patched in version 10.7.1 that allowed unauthenticated arbitrary file read from Jellyfin servers, particularly affecting Windows hosts. The vulnerability exploited audio HLS endpoints with crafted URL paths to bypass file extension restrictions. The patch implemented proper path canonicalization.
Jellyfin 10.8 Released with Comprehensive Hardware Acceleration
Version 10.8.0 was released after a long development cycle accumulating nearly two years of changes. The release introduced Dolby Vision Profile 5 and 7 tone-mapping, CUDA-based tone-mapping for NVIDIA, extended OpenCL tone-mapping for Intel, hardware-based subtitle burn-in, and full hardware-accelerated filtering across Intel, AMD, and NVIDIA hardware. The release migrated to .NET 6.
Swiftfin iOS/tvOS App Launched on Apple App Store
Swiftfin, Jellyfin's native iOS/iPadOS/tvOS client built with SwiftUI and VLCKit, was published on the Apple App Store. Originally started as a summer project in 2021 by contributor Aiden, the team released it officially after the TestFlight beta filled with over 9,000 users. The app provided Jellyfin's first official Apple platform presence.
Jellyfin Issues Public Call for Developers
Project leadership published a blog post acknowledging that the core contributor base of approximately 30 active people was under strain maintaining the server, web UI, and all official clients. The post called for new contributors across development, documentation, UI/UX design, and translations, while reaffirming the commitment to volunteer-only development with no paid positions.
Security Blog Post and 10.8.13 Hotfix Patch Two Critical Vulnerabilities
Joshua Boniface published a 'Jellyfin Security & You' blog post alongside the 10.8.13 hotfix release, addressing two serious security vulnerabilities (GHSA-rr9h-w522-cvmr and GHSA-866x-wj5j-2vf4). The FFmpeg path GUI configuration option was disabled for security reasons. The vulnerabilities involved possible remote code execution via custom FFmpeg binary and argument injection in FFmpeg codec parameters.
Jellyfin 10.9 Released with 1,100+ Pull Requests
Version 10.9.0 was released with over 1,100 merged pull requests, introducing trickplay video scrubbing (live preview during seeking), multiple simultaneous subtitle tracks, AVIF and WEBP format support for picture libraries, and modularization of DLNA into a first-party plugin. The release also improved web redirection handling and networking reliability.
Project Tells Donors to Stop Donating, Redirect to Client Developers
Jellyfin project leader Joshua Boniface published an Open Collective update titled 'We're Good, Seriously,' revealing the project had over $24,000 in reserves with only ~$600/month in expenses (40+ months of runway). The post asked donors to redirect contributions to individual client app developers instead, noting that client maintenance was the hardest part of the ecosystem. The story was covered by Gigazine Japan and reached the front page of Hacker News.
Jellyfin Surpasses Plex in Self-Hosted Market Share
The r/selfhosted community survey of 2,181 respondents found Jellyfin at 51.2% market share (1,110 users) versus Plex at 36.9% (801 users), marking the first time Jellyfin exceeded 50% among homelab enthusiasts. The shift was driven by Plex's increasing monetization, ad insertion, and interface changes pushing users toward free alternatives.
CVE-2024-43801: Stored XSS via SVG Profile Image Upload
A vulnerability was disclosed that allowed a low-privileged user to upload a malicious SVG file as their profile image, which could execute JavaScript when viewed outside the Jellyfin UI. If an admin viewed the image directly in a browser, the SVG could read their access token from LocalStorage and escalate privileges to administrator. The vulnerability was patched in version 10.9.10 by forcing images to download rather than render.
Jellyfin 10.10 Adds Media Segments and HDR10/Dolby Vision Support
Version 10.10.0 introduced Media Segments, a framework for marking time spans in videos (enabling features like intro skipping via plugins), software tonemapping for HDR10, HLG, and Dolby Vision, initial Dolby Vision Profile 10 support, Dolby AC-4 audio support, and FFmpeg 7.0. The release improved transcoding capabilities and established infrastructure for future content-aware features.
Jellyfin 10.10.7 Patches FFmpeg Injection and IP Spoofing Vulnerabilities
Version 10.10.7 patched CVE-2025-31499 (FFmpeg argument injection enabling possible remote code execution, a bypass of the CVE-2023-49096 fix) and CVE-2025-32012 (IP spoofing allowing unauthenticated server restarts via spoofed LAN IP addresses). The release also fixed trusted proxy configuration to prevent unauthorized API access from untrusted sources.
Jellyfin 10.11 Delivers EF Core Database Migration and Backup/Restore
Version 10.11.0 completed the long-planned migration from legacy SQLite handling to Entity Framework Core, removing legacy database code and enabling future support for alternative database backends like PostgreSQL. The release introduced built-in backup and restore functionality, in-memory caching for faster navigation in large libraries, improved search performance, and FFmpeg 7.1 support. It dropped 32-bit ARM support.
Jellyfin Desktop 2.0 Rebranded and Migrated to Qt 6
The Jellyfin Desktop client was rebranded from 'Jellyfin Media Player' to 'Jellyfin Desktop' and rebuilt on Qt 6 and MpvQt. The rewrite added multiple profile support, MPRIS media control integration, and improved performance. Released on Flathub and AUR, though stable Windows and macOS builds were not yet available at launch.
State of the Fin 2026: Seventh Anniversary and Version Scheme Revision
Jellyfin published its inaugural 'State of the Fin' blog series entry marking the project's seventh anniversary. The post highlighted four point releases with 100+ changes since 10.11.0, ongoing work on the Roku and Swiftfin clients, and consideration of revising the versioning scheme to 12.0 for a future major release. The project reaffirmed its commitment to open source and volunteer-only development.