Remote Command Execution Vulnerability in Tautulli Monitoring Tool for Plex Media Server
CVE-2026-31804

4MEDIUM

Key Information:

Vendor

Tautulli

Status
Tautulli
Vendor
CVE Published:
30 March 2026

What is CVE-2026-31804?

Tautulli, a Python-based monitoring tool for Plex Media Server, has a vulnerability in its /pms_image_proxy endpoint prior to version 2.17.0. The endpoint improperly processes a user-supplied 'img' parameter, forwarding it to Plex Media Server’s transcoder without any authentication and without validating the scheme or host. This means that any 'img' value starting with HTTP is sent to Plex, enabling a potential attacker to exploit the vulnerability and redirect the server to make outbound HTTP requests to malicious URLs. Users are advised to upgrade to version 2.17.0 or later to mitigate this risk.

Affected Version(s)

Tautulli < 2.17.0

References

https://github.com/Tautulli/Tautulli/security/advisories/...
x_refsource_CONFIRM
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0
x_refsource_MISC

CVSS V3.1

Score:
4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.