CVE-2026-31804

{"id": "CVE-2026-31804", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2026-03-30T20:16:21.517", "references": [{"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97", "tags": ["Vendor Advisory", "Exploit"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Antes de la versi\u00f3n 2.17.0, el endpoint /pms_image_proxy acepta un par\u00e1metro 'img' proporcionado por el usuario y lo reenv\u00eda al transcodificador /photo/:/ transcode de Plex Media Server sin autenticaci\u00f3n y sin restringir el esquema o el host. El endpoint est\u00e1 intencionalmente excluido de todas las comprobaciones de autenticaci\u00f3n en webstart.py, cualquier valor de 'img' que comience con HTTP se pasa directamente a Plex, esto hace que el proceso de Plex Media Server, que normalmente se ejecuta en el mismo host o red interna que Tautulli, con acceso al espacio de direcciones RFC-1918, emita una solicitud HTTP saliente a cualquier URL especificada por el atacante. Este problema ha sido parcheado en la versi\u00f3n 2.17.0."}], "lastModified": "2026-04-14T01:43:40.347", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A0B5F451-819C-4ADA-BFFA-EDA898A7D082", "versionEndExcluding": "2.17.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}