CVE-2026-31831

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-31831

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31831.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-31831

Aliases

GHSA-xp55-2pf4-fv8m

Published

2026-03-30T19:42:23.002Z

Modified

2026-04-10T05:42:09.498078Z

Severity

8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

Details

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has been patched in version 2.17.0.

Database specific

{
    "cwe_ids": [
        "CWE-23"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31831.json"
}

References

Affected packages

Git / github.com/tautulli/tautulli

Affected ranges

Type

GIT

Repo

https://github.com/tautulli/tautulli

Events

Introduced

Fixed

5610c167a17b0898d93d0588a0df81c03306ac52

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.17.0"
        }
    ]
}

Affected versions

v1.*

v1.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.4.13

v1.4.14

v1.4.15

v1.4.16

v1.4.17

v1.4.18

v1.4.19

v1.4.20

v1.4.21

v1.4.22

v1.4.23

v1.4.24

v1.4.25

v2.*

v2.0.0-beta

v2.0.1-beta

v2.0.10-beta

v2.0.11-beta

v2.0.12-beta

v2.0.13-beta

v2.0.14-beta

v2.0.15-beta

v2.0.16-beta

v2.0.17-beta

v2.0.18-beta

v2.0.19-beta

v2.0.2-beta

v2.0.20-beta

v2.0.21-beta

v2.0.22

v2.0.22-beta

v2.0.23-beta

v2.0.3-beta

v2.0.4-beta

v2.0.5-beta

v2.0.6-beta

v2.0.7-beta

v2.0.8-beta

v2.0.9-beta

v2.1.0-beta

v2.1.1-beta

v2.1.10-beta

v2.1.11-beta

v2.1.12

v2.1.13

v2.1.14

v2.1.16-beta

v2.1.17-beta

v2.1.18

v2.1.19-beta

v2.1.2-beta

v2.1.20

v2.1.20-beta

v2.1.21

v2.1.22

v2.1.23-beta

v2.1.24-beta

v2.1.25

v2.1.26

v2.1.27-beta

v2.1.28

v2.1.29-beta

v2.1.3-beta

v2.1.30-beta

v2.1.31

v2.1.31-beta

v2.1.32

v2.1.33

v2.1.34

v2.1.35-beta

v2.1.36-beta

v2.1.37

v2.1.38

v2.1.4

v2.1.5-beta

v2.1.6-beta

v2.1.7-beta

v2.1.8-beta

v2.1.9

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.11.0

v2.11.1

v2.12.0

v2.12.0-beta

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.14.0-beta

v2.14.1-beta

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.15.0

v2.15.1

v2.15.2

v2.15.3

v2.16.0

v2.16.1

v2.5.0-beta

v2.5.1-beta

v2.5.2

v2.5.2-beta

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.6.0

v2.6.0-beta

v2.6.1

v2.6.10

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7.0

v2.7.0-beta

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.8.0

v2.8.0-beta

v2.8.1

v2.9.0

v2.9.0-beta

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31831.json"