Lucene search
K

135 matches found

Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.15 views

PT-2026-44923

Name of the Vulnerable Software and Affected Versions MoviePilot version v2 Description An issue exists in the image proxy endpoint '/api/v1/system/img/proxy' that allows authenticated attackers to request arbitrary URLs. By providing a resource token cookie and a URL with a domain that matches t...

7.7CVSS5.9AI score0.0025EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

MoviePilot 安全漏洞

MoviePilot is an automated film resource management tool developed by jxxghp. Version 2 of MoviePilot has a security vulnerability. This vulnerability stems from a server-side request forgery in the image proxy endpoint, which may allow authenticated attackers to request arbitrary URLs and...

7.7CVSS5.9AI score0.0025EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.17 views

PT-2026-41695

Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.22 Statamic versions prior to 6.18.1 Description The Glide image proxy contains a flaw where URL validation can be bypassed using an IP representation that is not normalized before the public-IP check. This allo...

5.4CVSS5.8AI score0.00151EPSS
Exploits0References8
Snyk
Snyk
added 2026/05/15 9:29 p.m.7 views

Improper Check for Unusual or Exceptional Conditions

Overview Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the image proxy process. An attacker can cause a denial of service on client systems by serving malicious SVG files from an attacker-controlled origin with a misleading Content-Ty...

6.5CVSS5.8AI score0.00242EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/15 6:32 p.m.8 views

CVE-2026-4054 SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

4.3CVSS5.8AI score0.00242EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 6:32 p.m.41 views

CVE-2026-4054 SVG content served through Mattermost image proxy despite Content-Type restrictions causes client-side denial of service

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 Fail to validate the response body of proxied images, which allows a remote attacker to enact client-side DoS via an SVG file served from an attacker-controlled origin under a non-SVG Content-Type header e.g. image/png...

4.3CVSS0.00242EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/31 10:58 p.m.5 views

CVE-2026-31804

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

4CVSS5.8AI score0.00277EPSS
Exploits1References1
NVD
NVD
added 2026/03/30 8:16 p.m.12 views

CVE-2026-31804

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

5.3CVSS0.00277EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/30 7:42 p.m.4 views

CVE-2026-31804

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

4CVSS5.8AI score0.00277EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/30 7:42 p.m.8 views

CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

4CVSS5.8AI score0.00277EPSS
Exploits1References4
CVE
CVE
added 2026/03/30 7:42 p.m.14 views

CVE-2026-31804

CVE-2026-31804 affects Tautulli (Python-based Plex monitor) before version 2.17.0. The vulnerable /pms_image_proxy endpoint accepts a user-controlled img parameter and forwards it to Plex Media Server’s /photo/:/ transcode transcoder without authentication or host/scheme restrictions. Because web...

5.3CVSS5.8AI score0.00277EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/30 7:42 p.m.35 views

CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

4CVSS0.00277EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/03/30 12:0 a.m.9 views

Tautulli 代码问题漏洞

Tautulli is an open-source application developed by Tautulli for monitoring Plex Media Server. Versions of Tautulli prior to 2.17.0 had code vulnerabilities. These vulnerabilities stemmed from insufficient validation and restrictions on the img parameter in the /pmsimageproxy endpoint, which coul...

5.3CVSS5.9AI score0.00277EPSS
Exploits1References3
RedhatCVE
RedhatCVE
added 2026/03/02 1:51 a.m.10 views

CVE-2026-28423

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

8.6CVSS5.9AI score0.00378EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/03/01 1:30 a.m.8 views

Statamic Vulnerable to Server-Side Request Forgery via Glide

Impact When Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal...

8.6CVSS5.9AI score0.00378EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/02/27 10:11 p.m.5 views

EUVD-2026-9092

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

6.8CVSS5.9AI score0.00378EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/27 10:11 p.m.4 views

CVE-2026-28423

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode which is not the default, the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary...

8.6CVSS5.9AI score0.00378EPSS
Exploits0References4Affected Software1
CNNVD
CNNVD
added 2026/02/27 12:0 a.m.7 views

cms 代码问题漏洞

Cms is a software package developed by Statamic. Versions of CMS prior to 5.73.11 and 6.4.0 contained code-related vulnerabilities. These vulnerabilities occurred when using Glide image processing in an insecure mode. In such cases, the image proxy could be exploited to send HTTP requests to...

8.6CVSS5.9AI score0.00378EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/02/27 12:0 a.m.7 views

PT-2026-22422

Name of the Vulnerable Software and Affected Versions Statmatic versions prior to 5.73.11 Statmatic versions prior to 6.4.0 Description Statmatic is a content management system. When Glide image manipulation is used in insecure mode, an unauthenticated user can exploit the image proxy to make the...

6.8CVSS6AI score0.00378EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/02/05 9:13 a.m.6 views

CVE-2026-1294 All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

7.2CVSS5.6AI score0.00293EPSS
Exploits0References3
Rows per page
Query Builder