Server-Side Request Forgery Vulnerability in MoviePilot v2 by MoviePilot Team
CVE-2026-10107

7HIGH

Key Information:

Vendor: JxxgHP
Status: Moviepilot
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-10107?

The MoviePilot v2 product contains a security flaw in its image proxy endpoint, which is susceptible to server-side request forgery. This vulnerability allows attackers, upon authentication, to manipulate the application into submitting requests to arbitrary URLs by providing a resource_token cookie and a URL that matches the designated allowlist. Notably, the security mechanism, SecurityUtils.is_safe_url, merely checks for domain membership and fails to restrict private, loopback, or link-local addresses. As a result, this oversight permits attackers to bypass internal network defenses, leading to potential exposure of internal services such as Jellyfin, Emby, or Plex, as well as the risk of data leakage from sensitive internal resources.

Affected Version(s)

MoviePilot 0

MoviePilot 0 <= 0b7854a0af8751160b68c43c46ded48d2bd8a212

References

https://github.com/jxxghp/MoviePilot/issues/5823

issue-tracking

https://github.com/jxxghp/MoviePilot/issues/5823

technical-description

https://github.com/jxxghp/MoviePilot/commit/0b7854a0af875...

patch

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 29, 2026

Credit

YU SUN

CVE-2026-10107 Data

JSON

JxxgHP

What is CVE-2026-10107?

Affected Version(s)

References

CVSS V4

Timeline

Credit