CVE-2026-30976

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-30976
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30976.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-30976
Aliases
  • GHSA-h393-v5hm-6h8f
Published
2026-03-25T21:11:20.078Z
Modified
2026-04-10T05:42:49.114236Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
Sonarr Path Traversal vulnerability
Details

Sonarr is a PVR for Usenet and BitTorrent users. In versions on the 4.x branch prior to 4.0.17.2950, an unauthenticated remote attacker can potentially read any file readable by the Sonarr process. These include application configuration files (containing API keys and database credentials), Windows system files, and any user-accessible files on the same drive This issue only impacts Windows systems; macOS and Linux are unaffected. Files returned from the API were not limited to the directory on disk they were intended to be served from. This problem has been patched in 4.0.17.2950 in the nightly/develop branch or 4.0.17.2952 for stable/main releases. It's possible to work around the issue by only hosting Sonarr on a secure internal network and accessing it via VPN, Tailscale or similar solution outside that network.

Database specific 
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/30xxx/CVE-2026-30976.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/sonarr/sonarr

Affected ranges

Type
GIT
Repo
https://github.com/sonarr/sonarr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
97e85a908d4fd37c0652dd38f462cd6ddd1fa2f6
Database specific 
{
    "versions": [
        {
            "introduced": "4.0"
        },
        {
            "fixed": "4.0.17.2950"
        }
    ]
}

Affected versions

v2.*
v2.0.0.3004
v2.0.0.3154
v2.0.0.3357
v2.0.0.3527
v2.0.0.3530
v2.0.0.3573
v2.0.0.3645
v2.0.0.3732
v2.0.0.3953
v2.0.0.4146
v2.0.0.4230
v2.0.0.4323
v2.0.0.4326
v2.0.0.4370
v2.0.0.4389
v2.0.0.4409
v2.0.0.4427
v2.0.0.4472
v2.0.0.4613
v2.0.0.4689
v2.0.0.4748
v2.0.0.4753
v2.0.0.4855
v2.0.0.4913
v2.0.0.4918
v2.0.0.4919
v2.0.0.4928
v2.0.0.4949
v2.0.0.5054
v2.0.0.5153
v2.0.0.5163
v2.0.0.5225
v2.0.0.5228
v2.0.0.5250
v3.*
v3.0.5.1144
v3.0.6.1196
v3.0.6.1264
v3.0.6.1266
v3.0.6.1335
v3.0.6.1342
v3.0.7.1477
v3.0.8.1507
v3.0.9.1549
v4.*
v4.0.0.741
v4.0.0.825
v4.0.0.836
v4.0.0.924
v4.0.1.1014
v4.0.1.1047
v4.0.1.1096
v4.0.1.1114
v4.0.1.1131
v4.0.1.1168
v4.0.1.929
v4.0.1.933
v4.0.1.947
v4.0.1.953
v4.0.1.987
v4.0.10.2544
v4.0.10.2579
v4.0.10.2624
v4.0.10.2656
v4.0.11.2680
v4.0.11.2688
v4.0.11.2697
v4.0.11.2724
v4.0.11.2743
v4.0.11.2762
v4.0.11.2774
v4.0.11.2784
v4.0.11.2793
v4.0.11.2800
v4.0.11.2804
v4.0.11.2815
v4.0.12.2823
v4.0.12.2825
v4.0.12.2849
v4.0.12.2866
v4.0.12.2892
v4.0.12.2900
v4.0.13.2931
v4.0.13.2932
v4.0.13.2933
v4.0.13.2934
v4.0.14.2938
v4.0.14.2939
v4.0.15.2940
v4.0.15.2941
v4.0.16.2942
v4.0.16.2943
v4.0.16.2944
v4.0.16.2946
v4.0.2.1183
v4.0.2.1192
v4.0.2.1223
v4.0.2.1262
v4.0.2.1312
v4.0.2.1341
v4.0.2.1367
v4.0.2.1408
v4.0.3.1413
v4.0.3.1442
v4.0.3.1465
v4.0.3.1486
v4.0.4.1491
v4.0.4.1515
v4.0.4.1572
v4.0.4.1616
v4.0.4.1650
v4.0.4.1668
v4.0.4.1692
v4.0.4.1695
v4.0.4.1699
v4.0.5.1710
v4.0.5.1719
v4.0.5.1740
v4.0.5.1760
v4.0.5.1778
v4.0.5.1782
v4.0.5.1791
v4.0.5.1801
v4.0.6.1805
v4.0.6.1820
v4.0.6.1847
v4.0.7.1863
v4.0.7.1868
v4.0.8.1874
v4.0.8.1893
v4.0.8.1902
v4.0.8.1929
v4.0.8.1967
v4.0.8.1988
v4.0.8.2008
v4.0.8.2093
v4.0.8.2158
v4.0.8.2208
v4.0.8.2223
v4.0.9.2244
v4.0.9.2257
v4.0.9.2278
v4.0.9.2300
v4.0.9.2332
v4.0.9.2342
v4.0.9.2386
v4.0.9.2421
v4.0.9.2457
v4.0.9.2513

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-30976.json"