Leaderboard

Actually it was via a PM to the Admins following the security incident - to be fair, some of the oustanding items have now been completed in 4.8+ (those in Green below) - but the password one has sadly not been implemented... @Luke @ebr @softworkz -- "Hi All, So I've been keeping a track of the proposed security changes post the security issue in May (for my my own security audit) and thought I'd share it. Would it be worth providing an update to the security incident thread/blog as you guys have made some great progress with the 'security' side of things. Maybe you want to finish the Authorisation overhall with all the Clients before pushing something out on the Blog ? I also just wanted to say that I appreciate the security enhancements, my trust in the product is now a lot better pre-incident, and even though my service sits behind multiple external perimeter defenses, it's still nice to have a security conscious core product. Regards." Action Detail Status Availability Brute Force Lockout Will now add fixed delay to response if incorrect password has been entered 10+ times. Complete Beta 4.8+ Brute Force Lockout Notification Separate Notification type added if the above is activated. Complete Beta 4.8+ Proxy Headers Proxy headers may be turned on/off or if deemed to be remote (ie non RFC1918 addresses) Complete Beta 4.8+ Plugin Security Enhancements made to Plugin security. Complete Beta 4.8+ User Admin Improvements in viewing 'users' as a table to see their Admin status, last login etc. Pin outstanding but optional anyway. Complete Beta 4.8+ Local vs Remote Access Concept has been replaced with local device token passed Authentication. Complete Beta 4.8+ Local vs Remote Access Server side is complete, and clients are being updated allowing multi-users with token based passwords to be saved on the device. Web, Roku and Android have been updated thus far (as of 8th Oct 2023) Complete Beta 4.8+ PIN Access Not directly related to the incident, but due the above allowing priviledged accounts to be 'saved' with a valid token on any device, this allows a 2nd layer of Access control for those already logged into the device. It is not a MFA mechanism. Complete Beta 4.8+ Password strength/entropy Still no password strength check - allow a weak password, but get user acknowledgement that is is unsuitable for remote usage ? Outstanding tbc User/Group Admin Further improvements to add Library Access to the users Admin table - or show in the Library views. Ie a table showing which users have access to which libraries on a single page. Feature Request tbc Cipher Hygeine Update Remove outdated ciphers from .NET In progress ? tbc Unauthorised Image access. Images can still be accessed remotely if the URL is known. For metadata, probably not an issue, but for personal photo libraries, then this is a PII data issue - and should be resolved asap. Security Bug tbc

Hi there, it was me . Next update should solve the issue. I realized that the translations were pulled from auto translate websites, which prefer corporate speech. Not my kind of "entertainment".

I'm not sure what the issue is, but there might not be enough Apple TV Emby users. I'd be happy if Emby on Apple TV had the same features as it does on iOS, though that might require a major overhaul. I also own a few Nvidia Shields, I much prefer the Apple TV for its superior interface and smooth performance. Infuse is what I use. I find it to be a better player than anything you can find on Android or Apple TV. If only it could do Live TV.

I feel your pain, I am also in the process of potentially migrating from Plex to Emby. The learning curve is real. Plex is a very polished product. Emby seems to still be a little rough around the edges, but I keep discovering more and more features that Emby has that I wanted as a Plex user. The case for migration keeps getting stronger! Maybe we can start a group "plex users anonymous" and help each other though the process. Maybe even get Darkstar to join as our mentor!

That is a cool feature I have not messed with yet. However, Emby does in fact pickup and use the image if it exists in the Season 01 folder, if the image name is exactly the same as the folder name. So Emby is flexible and smart enough to figure out either location/naming. That is if the user (me) is smart enough to actually make the file names match!

As well for my users I do not let them access to my emby server via web browser, I'm forcing them to use emby apps and you can link each user to specific devices: On Access Tab for each user: So you can link specific users to specific devices and this will block any other type of connection even if they figure the user password, as the device will not match they will not be able to access to your server. Hope this helps.

Emby and security have a love/hate relationship. A 'scare' happended a while ago where their lack of modern Auth caused 'local' accounts to be accessable remotely and thus 'hacked' (there was no evidence anything was done beyond emby itself) - but they did improve various things (I'll find the list shortly..) but one thing they never completed, despite being an obvious omission to even 'basic' security - is the lack of a password policy and password enforcement. I totally 'get' that users may not want passwords on a local install - but as soon as you allow remote connectivity - you change the risk in using Emby significantly and thus, the wizard should force a password check/update on all existing and any future accounts. For each Admin account, it should force something half decent to stop brute force (remembering strangely that Emby DID implement password lockout first ..) and for normal users - an 'short' password is probably ok, but something is better than nothing, remembering an attacker does not know the entropy of the password used. But simply put - do not allow no passwords when emby has a gateway into your home network from the open internet. Let me find the list - they started working though it and were doing well - but progress then stalled/stopped ...

OK this worked. Having as a sub-folder is different for me...as PLEX doesn't need a sub-folder. I feel dumb...lol But thanks everyone...migrating to emby from plex this last 24 hours or so. Little bit of learning, but overall the same.

I believe that the issue is that you're using o:\Looney tunes that is the show folder as a library folder. Try the following: Put Looney Tunes folder into another folder, for example WB Cartoons: O\WB Cartoons\Looney Tunes and then, remove from your library o:\Looney Tunes and add O:\WB Cartoons as your library folder. This will solve the issue. The issue is that the Show folder is now the library folder, so emby expect to get a subfolder for the show and there isn't. PS: If you plan to continue using Plex, after this change update Plex library accordingly. Hope this helps.

In tweaking my server a bit over the last few days, and in reading and replying to some posts here, a couple of (what seem to me) rather simple security enhancements came to mind. 1. Option to require password. This could be both a global or individual user setting. It doesn't have to change the behavior of anything else. Actually... I couldn't believe this wasn't there somewhere. Am I missing it? Couldn't a user just delete their own password and open a security hole? 2. Global option hide profile pictures/login. Right now, the only way to do this is per user, which is fine for someone like me that only has 5 It doesn't seem like these would be difficult changes unless I'm missing something.

We have too many strings, too many languages and too few translators to do that. For many languages we're happy when there's even one person to do translation. No way to block all them, waiting for votes. But we are preparing an approval model. You can already see the column for it (all zeros currently). It's not quite clear how, but maybe we'll have maintainers for the frequent languages (one per language) and AI-based automated approval for more rare languages.

Danke! Zum Glück ist der Unsinn an Schulen inzwischen explizit verboten.

Director ==> Regisseur*in ... bereits vor 11 Tagen korrigiert zu Regisseur Actor ==> Schauspieler*in ... bereits vor 11 Tagen korrigiert zu Schauspieler Wegen der Korrektur habe ich es auch nicht gleich gefunden.

What ever you its all fixed. Thank you very much @Luke

The data gets blown up for display in the data grid (where you do the filtering) as it's in a different format (json) than in the M3U. When you save the filter, the whole grid data is transferred back to the server (because in other cases, grid data can be editable)

Another plugin bug. It discards all episodes where it cannot immediately determine the season and episode number.

Yes, I found them, they were in a different folder.

Thank you

Hi, I've referred this to our build and packaging developer for comment. Thanks.

fyi, I found a sync bug when a playlist was removed. Will be fixed in next version.

This was a 1 hour too early issue before MAR 9th and I suspect will remain one after NOV 2nd

I have re-opened the gracenote issue I am hoping that it is a simple case where day light saving adjustment is not being made

It's basically a readable export of the media database of Emby You could also duplicate the Emby database and extract with queries datas you need from it but will need more work !

The Reports plugin does most of that. It can be found in the Plugins catalog.

Technically this will only apply to folder view as Emby stopped supporting nested Collections folders a long time ago. So that folder level is never read except for folder view presenting the actual folder levels. Want to say that was a change back in 4.6 or 4.7. Collections are virtual items now and are created from the <set> node in individual movie metadata, or is you do not write nfo files then same node written in database. The library option are primarily for getting the info from TMDB otherwise it is a manual process. Emby will always honor the <set> not in any items metadata. Folder structure will not create a Collection per se (just folder view).

as you are currently working on live tv anyway, this seems to be a good time frame to add

that can happen if for example user A has already logged from a Web browser and his/her credentials are cached (cookie), even the new policy applies, the cache on the browser skips the policy, and continue logging him/her from a now unauthorized device. try clean browser cache and cookies, or even better, if you have a phone or tablet try to login with a user that has no permissions to log from this device and see what happens. Hope this helps.

Additionally you can blacklist the IP that have been used to connect with all your users into your server, i'ts not a great solution but at least you will be sure from this IP they will never access again: In my case I've blacklisted all IP's that tried to access my server even they did not get access

Yea I may have mis-understood. All I read was Emby needed to use folders. But everything is already in a folder. It should say Emby uses sub-folders.

OK, will give it a try and will get back with results, full Scan Media Library takes more than 2 hours in my case, so I will do when I can

The Apple TV has been around since 2007. The first Nvidia Shield came out in 2015. Maybe not a high volume of folks that use Emby are using an Apple TV, but that could be because of several reasons.

Aha! You've finally taken a look. Anyway, yes that's good to know. Thanks very much.

It is possible to get rid of it. I had to go to the registry editor and do a search for the word Emby. There was still a ton of Emby related crap in the registry which I got rid of one by one. And 3 years later the only comment from Emby in various threads about this issue over and over again is 'we'll take a look'.

Okay, I see there's already a request. I don't know why that didn't come up in my first search: We can close or move this topic.

Yes, I was able to invoke the install from my android phone to Homatics Box R 4K Plus. In play store on both devices, I changed my email account to match my premiere account. Collections are now visible on the app.

In case you missed the airing of "Precious World of Pearls", here is the schedule - pick any and check the actial time and let me know - program, actual airing time and duration start (local time) end title 2025-09-19 16:00 2025-09-19 18:00 Prazana Lab-Grown Diamonds 2025-09-19 18:00 2025-09-19 20:00 Precious World of Pearls 2025-09-19 20:00 2025-09-19 22:00 Girlfriend Friday 2025-09-19 22:00 2025-09-20 00:00 Stefano Oro Italian Jewelry 2025-09-20 00:00 2025-09-20 02:00 To Be Announced 2025-09-20 02:00 2025-09-20 03:00 Silver Showcase Jewelry 2025-09-20 03:00 2025-09-20 04:00 Bella Luce Jewelry 2025-09-20 04:00 2025-09-20 05:00 Moda al Massimo Jewelry 2025-09-20 05:00 2025-09-20 06:00 Prazana Lab-Grown Diamonds 2025-09-20 06:00 2025-09-20 07:00 Sparkle in Silver Jewelry 2025-09-20 07:00 2025-09-20 10:00 To Be Announced 2025-09-20 10:00 2025-09-20 12:00 To Be Announced 2025-09-20 12:00 2025-09-20 14:00 Stefano Oro Italian Jewelry 2025-09-20 14:00 2025-09-20 18:00 Personalized Style 2025-09-20 18:00 2025-09-20 20:00 Color Crush Jewelry 2025-09-20 20:00 2025-09-20 22:00 Stefano Oro Italian Jewelry

I'm sure it's okay, but it's fine. I just prefer to use Windows the traditional way without app stores. No worries, I can live without it. Since you support FreeBSD as server platform, there's nothing the Emby team could do to upset me

HI, adding a folder to mulitple libraries is only supported if all libraries involved use the same content type, which would not be the case here. And even when that's true, ideally you want the libraries configured identically because you will not be able to predict which library options get used.

Hi Vic, Same for me, just tested the latest version and looks like all is good, thank you.

Hello, new to Emby and have been searching and see this is a mixed bag topic with many wanting empty folder shows to show and others not. I like the poster above use Sonarr and it will delete the episodes, but leave an empty season folder behind. Hope that the option to hide shows with no video files is implemented.

For anyone seeing this please up vote this

Hi, there's a good comment here:

Thanks, you're welcome. If you want me to name something, then it would be: Please create new topics for new questions, if possible.

That's not the fix. This previous issue was that searching for impossible, possible would not return any results. Now it does.

This case is resolved in 4.9.1.26. Thanks.

This case is resolved in 4.9.1.26. it should help a lot of other cases.

Hi, this will be in the 4.9 server release for the web app, and will be in the next update to many of our apps. It will come in the form of a user setting: And then you will screens like this: Of course it is not guaranteed to be applied everywhere, particularly when it comes to screens that are more intended for media management purposes than viewing. Enjoy.

HI, yes this is the right place. No more info needed. Thanks.

It's certainly possible, yes.

Hi all, since I spent some time to illustrate my version of the same request, let me repost it the images along with my description: I would like to have a function in the user-interface (UI) to move media from one library to another library. I have tried to illustrate an example here (in red): Currently, I have to do that on a filesystem level, and only I can do that. Adding that to the UI would enable other users to do that as well (with sufficient privileges). Once the destination is picked, a new dialog should pop up, what the transfer-request should move on the file-system basis: I hope that my idea is not totally absurd and finds many supporters! Thank you all! RooDee Original Post: