CVE-2026-43986 in Tautulliinformación

Resumen

por MITRE • 2026-06-04

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used by authenticated image proxying. A low-privilege guest user can seed a malicious external image URL into this lookup table and then trigger server-side fetches through a fully unauthenticated endpoint. This turns an authenticated SSRF primitive into a persistent unauthenticated SSRF gadget. Once the malicious hash entry exists, any external user can request `/image/.png` and cause the PMS or Tautulli host to fetch an arbitrary attacker-chosen URL. Version 2.17.1 patches the issue.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Reservar

2026-05-04

Divulgación

2026-06-04

Moderación

aceptado

Artículo

VDB-368369

CPE

listo

CWE

CWE-918 (confirmado)

CVSS

9.9 (CNA)

EPSS

0.00000

KEV

Actividades

medio

Fuentes

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-43986
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-43986
CVE Details	https://www.cvedetails.com/cve/CVE-2026-43986/

◂ Anterior Visión De Conjunto Próximo ▸

Interested in the pricing of exploits?

See the underground prices here!