Skip to main content

Moviepilot

2 CVEs product

Monthly

CVE-2026-11416 HIGH PATCH This Week

Path traversal in MoviePilot's AliPan, U115, Rclone, and SMB cloud storage download handlers allows an attacker who controls remote filenames to write files outside the configured download directory. The flaw stems from unsanitized concatenation of filenames returned by remote cloud APIs, enabling overwrite of configuration files, plugins, or other files accessible to the application process. No public exploit identified at time of analysis, but a vendor patch is available via upstream commit a0b3800.

Path Traversal Moviepilot
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.1%
CVE-2026-10107 HIGH PATCH This Week

Server-side request forgery in MoviePilot v2's image proxy endpoint (/api/v1/system/img-proxy) allows authenticated attackers holding a valid resource_token cookie to coerce the server into fetching arbitrary internal URLs. The flaw stems from SecurityUtils.is_safe_url performing domain-membership checks without blocking private, loopback, or link-local IPs, letting attackers enumerate co-hosted media services such as Jellyfin, Emby, and Plex and exfiltrate internal data. No public exploit identified at time of analysis, though the upstream patch and vendor-published advisory clearly document the attack path.

SSRF Moviepilot
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Path traversal in MoviePilot's AliPan, U115, Rclone, and SMB cloud storage download handlers allows an attacker who controls remote filenames to write files outside the configured download directory. The flaw stems from unsanitized concatenation of filenames returned by remote cloud APIs, enabling overwrite of configuration files, plugins, or other files accessible to the application process. No public exploit identified at time of analysis, but a vendor patch is available via upstream commit a0b3800.

Path Traversal Moviepilot
NVD GitHub VulDB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

Server-side request forgery in MoviePilot v2's image proxy endpoint (/api/v1/system/img-proxy) allows authenticated attackers holding a valid resource_token cookie to coerce the server into fetching arbitrary internal URLs. The flaw stems from SecurityUtils.is_safe_url performing domain-membership checks without blocking private, loopback, or link-local IPs, letting attackers enumerate co-hosted media services such as Jellyfin, Emby, and Plex and exfiltrate internal data. No public exploit identified at time of analysis, though the upstream patch and vendor-published advisory clearly document the attack path.

SSRF Moviepilot
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy