CVE-2026-31831 | THREATINT

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.

PUBLISHED Reserved 2026-03-09 | Published 2026-03-30 | Updated 2026-03-31 | Assigner GitHub_M

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-23: Relative Path Traversal

Product status

< 2.17.0

affected

References

github.com/...utulli/security/advisories/GHSA-xp55-2pf4-fv8m exploit

github.com/...utulli/security/advisories/GHSA-xp55-2pf4-fv8m

github.com/Tautulli/Tautulli/releases/tag/v2.17.0

cve.org (CVE-2026-31831)

nvd.nist.gov (CVE-2026-31831)

Download JSON