Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint_CVE-2026-31831

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.

Basic Information

ID CVE-2026-31831

Source GitHub_M

Published Mar 30, 2026 at 19:42

Modified Mar 31, 2026 at 19:09

Affected Product

Vendor Tautulli

Product Tautulli

Version < 2.17.0

Affected Versions Tautulli Tautulli < 2.17.0

CWE Classification

CWE-23

References

{
    "lastseen": "",
    "description": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.",
    "published": "2026-03-30T19:42:23.002Z",
    "modified": "2026-03-31T19:09:40.491Z",
    "type": "cve",
    "title": "Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint",
    "source": "GitHub_M",
    "references": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m\nhttps://github.com/Tautulli/Tautulli/releases/tag/v2.17.0",
    "id": "CVE-2026-31831",
    "bulletinFamily": "",
    "cwe": [
        "CWE-23"
    ],
    "cvelist": null,
    "sourceData": "Tautulli Tautulli < 2.17.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Tautulli",
    "version": "< 2.17.0",
    "vendor": "Tautulli",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}