Description
MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.
Published: 2026-05-29
Score: 7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MoviePilot v2 contains a SSRF flaw in the image proxy endpoint. The flaw allows authenticated attackers to supply a URL whose domain passes a basic allowlist check performed by SecurityUtils.is_safe_url. Because the check only verifies domain membership and does not block private, loopback or link‑local addresses, attackers can instruct MoviePilot to fetch arbitrary internal URLs, potentially accessing services such as Jellyfin, Emby or Plex and exfiltrating data from internal resources. This vulnerability is classified as CWE‑918.

Affected Systems

The affected product is MoviePilot v2, specifically versions before the 2.13.2 release. The 2.13.2 release, which includes the fix, is available from the project’s GitHub releases page.

Risk and Exploitability

The CVSS score is 7, indicating a medium‑to‑high severity. EPSS data are not available, but the lack of a KEV listing suggests that active exploitation has not yet been reported. The attack requires an authenticated session with a valid resource_token cookie; once authenticated, the attacker can request any URL that matches the allowlist domain, and due to the permissive check, internal network addresses are reachable. The potential impact ranges from internal discovery to full data exfiltration depending on the attacker’s objectives.

Generated by OpenCVE AI on May 29, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MoviePilot to version 2.13.2 or later where the SSRF issue is fixed
  • Configure the network firewall or reverse proxy to block outbound requests from MoviePilot to private, loopback, or link‑local address ranges
  • If an upgrade is not immediately possible, consider disabling or removing the image proxy endpoint to eliminate the attack surface

Generated by OpenCVE AI on May 29, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.
Title MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T17:32:08.739Z

Reserved: 2026-05-29T16:33:32.399Z

Link: CVE-2026-10107

cve-icon Vulnrichment

Updated: 2026-05-29T17:31:51.322Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:16:31.160

Modified: 2026-05-29T20:25:00.760

Link: CVE-2026-10107

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:30:05Z

Weaknesses