cvedb.io
CVE-2025-58761
HIGH · CVSS 8.6
EPSS exploitation probability: 0%
Published 2025-09-09T20:15:49.763 · Last modified 2026-06-17T09:44:53.553

Summary

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. The `real_pms_image_proxy` is used to fetch an image directly from the backing Plex Media Server. The image to be fetched is specified through an `img` URL parameter, which can either be a URL or a file path. There is some validation ensuring that `img` begins with the prefix `interfaces/default/images` in order to be served from the local filesystem. However this can be bypassed by passing an `img` parameter which begins with a valid prefix, and then adjoining path traversal characters in order to reach files outsi

Affected products

tautulli — tautulli

Does this affect you?

Add your gear to cvedb and we'll alert you only when tautulli ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.