CVE-2026-31804

Name of the Vulnerable Software and Affected Versions Tautulli versions prior to 2.17.0

Description Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. The /pms image proxy API endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server’s /photo/:/transcode transcoder without authentication or scheme/host restriction. This endpoint is intentionally excluded from authentication checks. Any value of img starting with http is passed directly to Plex, causing the Plex Media Server process to make an outbound HTTP request to a URL specified by an attacker. The img parameter is vulnerable.

Recommendations Update Tautulli to version 2.17.0 or later.