CVE-2026-31831

Exploit

EPSS 0.08%
Veröffentlicht 30.03.2026 19:42:23
Zuletzt bearbeitet 02.04.2026 15:42:45
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Tautulli ≫ Tautulli Version < 2.17.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.08%	0.228

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-23 Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0

Release Notes

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-31831

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-31831

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-31831

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-31831