QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-10107

Back to search

CVE-2026-10107

Published: May 29, 2026

Modified: May 29, 2026

PUBLISHED

CVSS v3.1

7.7

HIGH

Description

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.

VendorProductVersions

jxxghp

MoviePilot

affected
0 - <= v2.13.2
affected
0 - <= 0b7854a0af8751160b68c43c46ded48d2bd8a212

Weaknesses (CWE)

CWE-918

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

GitHub Issue
issue-tracking
Pull Request
technical-description

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now