The vulnerability is a classic path traversal flaw in the /newsletter/image/images endpoint of Tautulli. File names supplied to the endpoint are concatenated to a filesystem path without proper sanitization, allowing an attacker to include directory traversal sequences that reference files outside the intended directory. Because the endpoint does not enforce authentication, an unauthenticated attacker can retrieve any file readable by the web server process, exposing configuration data, credentials, or other sensitive information. The weakness is catalogued as CWE‑23.

All releases of Tautulli prior to version 2.17.0 are susceptible. The affected product is Tautulli, and any build that still includes the /newsletter/image/images API endpoint falls under the impact scope. The CPE string provided identifies the generic package, and no specific sub‑versions are listed, so any pre‑2.17.0 installation should be considered vulnerable.

The CVSS score of 8.7 signals high severity, while the EPSS score of less than 1% indicates that exploitation is not widespread but still plausible, especially for exposed installations. The vulnerability is not listed in the KEV catalog, but an attacker can trigger it via a simple HTTP GET request to /newsletter/image/images with a crafted filename that includes '..' sequences. Since authentication is not required, any network host that can reach the application can exploit this flaw, posing a significant confidentiality risk.