this post was submitted on 19 May 2026
278 points (97.0% liked)
Selfhosted
60177 readers
703 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil.
-
No spam.
-
Posts are to be related to self-hosting.
-
Don't duplicate the full text of your blog or readme if you're providing a link.
-
Submission headline should match the article title.
-
No trolling.
-
Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
I am aware that an rce is the worst possibility I'm saying it shouldn't be. The web portion is already its own isolated binary that you have to install but it's designed with seemingly very little attention to security.
To the point that jellyfin has already had several major RCE and despite having full support for running over the web with http developers are basically just like you should not be using this without a VPN which is overall a pretty pathetic stance for a media server
Recently nginx had an RCE, so if your web server interface has an RCE, it doesn't matter if jellyfin code is top-notch, if you happen to use a proxy with RCE in front of it. Wireguard has never had an RCE and I'm relatively certain it never will, because I believe you must be in possession of some keys to go very deep in the wireguard code, which in itself is not very large piece of code.
But yes, in principle I agree that we should code securely instead of depending on VPN to solve it for us, unfortunately it's not the reality today. Memory safe programming languages help, but don't completely protect against logic errors. VPN is general is pretty good for defence-in-depth.
The nginx rce relied an a series of requirements that affect almost nobody. You had to be using a very specific module and processing a specific type of data reverse proxy was not affected.
But regardless I get your point that anything can have an RCE. However as you say at the end in principle that does not mean you should just give up and expect external projects to handle your security. VPN is a great way to access your services and it is good defense and depth, but for the sake of being a successful project to the masses? It's basically a dead end Road
I think that's why we should still have requirements against software we run (although as some funnily say, we are free to get a refund), but not pretend that the software is more secure than it is known to be. sad that we need a VPN for security, but it is what it is.
I don't know how could we get our devs to be more attentive to security.
it is pathetic indeed, but I think much fewer projects admit it than how many should