CVE-2026-10107
MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th
MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.
| CWE | CWE-918 |
| Vendor | jxxghp |
| Product | moviepilot |
| Published | May 29, 2026 |
| Last Updated | May 29, 2026 |
Stay Ahead of the Next One
Get instant alerts for jxxghp moviepilot
Be the first to know when new high vulnerabilities affecting jxxghp moviepilot are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
Affected Versions
jxxghp / MoviePilot
0 โค v2.13.2 0 โค 0b7854a0af8751160b68c43c46ded48d2bd8a212
References
github.com: https://github.com/jxxghp/MoviePilot/issues/5823 github.com: https://github.com/jxxghp/MoviePilot/commit/0b7854a0af8751160b68c43c46ded48d2bd8a212 github.com: https://github.com/jxxghp/MoviePilot/releases/tag/v2.13.2 vulncheck.com: https://www.vulncheck.com/advisories/moviepilot-v2-ssrf-via-api-v1-system-img-proxy-endpoint
Credits
YU SUN