Home

Description

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.

PUBLISHED Reserved 2026-05-29 | Published 2026-05-29 | Updated 2026-05-29 | Assigner VulnCheck




HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

HIGH: 7.0CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Problem types

CWE-918 Server-Side Request Forgery (SSRF)

Product status

Default status
unknown

Any version
affected

Any version
affected

Credits

YU SUN finder

References

github.com/jxxghp/MoviePilot/issues/5823 exploit

github.com/jxxghp/MoviePilot/issues/5823 (GitHub Issue) issue-tracking

github.com/jxxghp/MoviePilot/issues/5823 (Pull Request) technical-description

github.com/...ommit/0b7854a0af8751160b68c43c46ded48d2bd8a212 (Patch Commit) patch

github.com/jxxghp/MoviePilot/releases/tag/v2.13.2 (Release Notes) patch

www.vulncheck.com/...rf-via-api-v1-system-img-proxy-endpoint third-party-advisory

cve.org (CVE-2026-10107)

nvd.nist.gov (CVE-2026-10107)

Download JSON