CVE-2026-31831
HIGHTautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint
Title source: cnaDescription
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m
X_Refsource_Misc x_refsource_misc
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0
Scores
CVSS v3
7.5
EPSS
0.0048
EPSS Percentile
37.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-23
Status
published
Products (2)
tautulli/tautulli
< 2.17.0
Tautulli/Tautulli
< 2.17.0
Published
Mar 30, 2026
Tracked Since
Mar 31, 2026