CVE-2026-10107
HIGHMoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint
Title source: cnaDescription
MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.
References (4)
Core 4
Core References
Patch patch
Patch Commit
https://github.com/jxxghp/MoviePilot/commit/0b7854a0af8751160b68c43c46ded48d2bd8a212
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/moviepilot-v2-ssrf-via-api-v1-system-img-proxy-endpoint
Scores
CVSS v3
7.7
EPSS
0.0025
EPSS Percentile
16.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
jxxghp/MoviePilot
< 0b7854a0af8751160b68c43c46ded48d2bd8a212
jxxghp/MoviePilot
< v2.13.2
Published
May 29, 2026
Tracked Since
May 29, 2026