Jakeperalta7

#11186of 53,630
24.6Total CVSS
Vulnerabilities · 3
High
3
PT-2026-46228
7.1
2026-06-04
Tautulli · Tautulli · CVE-2026-40605
**Name of the Vulnerable Software and Affected Versions** Tautulli versions prior to 2.17.1 **Description** Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A path traversal issue in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path, which can lead to arbitrary data loss and service disruption. Path traversal is a technique that allows an attacker to access files or directories outside the intended folder by using special characters like "../". **Recommendations** Update to version 2.17.1.
PT-2026-28790
8.7
2026-03-28
Tautulli · Tautulli · CVE-2026-31831
**Name of the Vulnerable Software and Affected Versions** Tautulli versions prior to 2.17.0 **Description** Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the `/newsletter/image/images` API endpoint is susceptible to a path traversal issue. This allows unauthenticated attackers to read arbitrary files from the application server’s filesystem. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update to Tautulli version 2.17.0 or later.
PT-2026-28166
8.8
2026-03-25
Zoraxy · Zoraxy · CVE-2026-33529
**Name of the Vulnerable Software and Affected Versions** Zoraxy versions prior to 3.3.2 **Description** Zoraxy is a general purpose HTTP reverse proxy and forwarding tool. A path traversal vulnerability exists in the configuration import endpoint (`/api/conf/import`) when handling zip file entries. An authenticated user can exploit this to write arbitrary files outside the intended configuration directory. This can lead to Remote Code Execution (RCE) by creating a malicious plugin. The vulnerability is triggered by embedding "../" within a longer sequence to bypass sanitization checks during zip file processing. Specifically, the zip entry names sanitization is bypassed by embedding `../` inside a longer sequence so the replacement produces a new `../`. The vulnerable endpoint is `POST /api/conf/import`. The `username` and `password` are used for authentication. The vulnerability allows for the creation of a new plugin and modification of the entrypoint to add execution permissions to the plugin. **Recommendations** Versions prior to 3.3.2 should be updated to version 3.3.2 or later.