{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31831", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T17:41:56.077Z", "datePublished": "2026-03-30T19:42:23.002Z", "dateUpdated": "2026-03-31T19:09:40.491Z"}, "containers": {"cna": {"title": "Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-23", "lang": "en", "description": "CWE-23: Relative Path Traversal", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"}, {"name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"version": "< 2.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:42:23.002Z"}, "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0."}], "source": {"advisory": "GHSA-xp55-2pf4-fv8m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:39:50.406586Z", "id": "CVE-2026-31831", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:40.491Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint", "source": {"advisory": "GHSA-xp55-2pf4-fv8m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"status": "affected", "version": "< 2.17.0"}]}], "references": [{"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23: Relative Path Traversal"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:42:23.002Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31831", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T18:39:50.406586Z"}}}], "references": [{"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T19:07:17.037Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-31831", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:42:23.002Z", "dateReserved": "2026-03-09T17:41:56.077Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T19:42:23.002Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "matchCriteriaId": "A0B5F451-819C-4ADA-BFFA-EDA898A7D082", "versionEndExcluding": "2.17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Antes de la versi\u00f3n 2.17.0, el endpoint de la API /newsletter/image/images es vulnerable a salto de ruta, permitiendo a atacantes no autenticados leer archivos arbitrarios del sistema de archivos del servidor de aplicaciones. Este problema ha sido parcheado en la versi\u00f3n 2.17.0."}], "id": "CVE-2026-31831", "lastModified": "2026-04-02T15:42:45.983", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:21.673", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tautulli", "source": "cna", "vendor": "Tautulli"}, "product": "tautulli", "vendor": "tautulli"}], "analysis": {"en": {"generated_at": "2026-03-30T20:20:11.779378+00:00", "value": {"mitigation_remediation": ["Apply the latest Tautulli release 2.17.0 or newer immediately.", "Verify the fix by attempting a path traversal test to confirm files are no longer accessible.", "Monitor access logs for any anomalous file requests and consider restricting network access to the /newsletter/image/images endpoint until the patch can be applied."], "summary": {"action": "Patch Immediately", "impact": "Remote File Disclosure"}, "threat_synthesis": {"affected_systems": "Tautulli: Tautulli, any deployment running a version older than 2.17.0 of the Tautulli monitoring tool is affected. The fix is present in version 2.17.0 and later.", "description_and_impact": "The vulnerability in Tautulli\u2019s /newsletter/image/images API permits unauthenticated path traversal. By crafting a request with a path that navigates beyond the intended directory, an attacker can read any files accessible to the application process, potentially exposing sensitive configuration, logs, or personal data. This weakness corresponds to CWE-23 and results in unauthorized file disclosure.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high impact and low complexity, with an unauthenticated attacker able to exploit the flaw via an HTTP request. EPSS score is not available, so the current probability of exploitation in the wild is unknown, but the vulnerability is not yet listed in CISA\u2019s KEV catalog. An attacker can trigger the endpoint from any network location that can reach the Tautulli instance, making the attack highly feasible for exposed systems."}}}}, "created": "2026-03-30T20:55:05.091605+00:00", "updated": "2026-03-31T20:40:18.222942+00:00", "vendors": ["tautulli", "tautulli$PRODUCT$tautulli"]}