CVE-2026-31831 PUBLISHED

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

Assigner: GitHub_M
Reserved: 09.03.2026 Published: 30.03.2026 Updated: 30.03.2026

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.7

Product Status

Vendor Tautulli
Product Tautulli
Versions
  • Version < 2.17.0 is affected

References

Problem Types

  • CWE-23: Relative Path Traversal CWE