Zero Day MonitorZDM

← Back to list

—

CVE-2026-31831EXPLOITEDPATCHED

null · tautulli

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

Description

A vulnerability classified as problematic was found in Tautulli up to 2.16.x. Affected by this issue is some unknown functionality of the file /newsletter/image/images of the component API Endpoint. Executing a manipulation can lead to relative path traversal. This vulnerability is handled as CVE-2026-31831. The attack can be executed remotely.

Affected Products

Vendor	Product	Versions
null	tautulli	< 2.17.0

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m(x_refsource_CONFIRM)
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-31831 | Tautulli up to 2.16.x API Endpoint /newsletter/image/images path traversal (GHSA-xp55-2pf4-fv8m)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available2.17.0

CWECWE-23

PublishedMar 30, 2026

Last enriched4h agov2

Trending Score46

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-28505EXP

Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check

CRITICALCVE-2026-31804EXP

Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

HIGHCVE-2026-32275EXP

Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

CRITICALCVE-2026-31799

Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

HIGHCVE-2026-34070EXP

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Actively Exploited

Mar 30, 2026

Patch Available

Mar 30, 2026

Updated: description, severity, activelyExploited, patchAvailable

Mar 30, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated vendor to Tautulli, changed severity to HIGH, noted that the vulnerability is actively exploited, and clarified that no exploit is available.

descriptionseverityactivelyExploitedpatchAvailable

via VulDB

v16h ago

Initial creation