EUVD-2026-34286

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public /image/ route that resolves attacker-controlled entries from imagehashlookup and replays them through the same server-side image fetch logic used by authenticated image proxying...

EUVD-2026-34273

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely...

EUVD-2026-17208

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0...

CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pmsimageproxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the scheme...

CVE-2026-31804

CVE-2026-31804 affects Tautulli (Python-based Plex monitor) before version 2.17.0. The vulnerable /pms_image_proxy endpoint accepts a user-controlled img parameter and forwards it to Plex Media Server’s /photo/:/ transcode transcoder without authentication or host/scheme restrictions. Because web...

CVE-2021-33959

Plex media server 1.21 and before is vulnerable to ddos reflection attack via plex service...

Plex Media Server <= 1.43.0.10389 Multiple Vulnerabilities

Plex Media Server is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:plex:plexmediaserver";...

CVE-2025-69415

In Plex Media Server PMS through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

CVE-2025-69416

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve other tokens intended for unrelated access via clients.plex.tv/devices.xml...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

CVE-2025-69416

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve other tokens intended for unrelated access via clients.plex.tv/devices.xml...

CVE-2025-69416

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve other tokens intended for unrelated access via clients.plex.tv/devices.xml...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

CVE-2025-69415

In Plex Media Server PMS through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account...

CVE-2025-69414

Plex Media Server PMS through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token...

CVE-2025-69415

In Plex Media Server PMS through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account...

CVE-2025-69417

In the plex.tv backend for Plex Media Server PMS through 2025-12-31, a non-server device token can retrieve share tokens intended for unrelated access via a sharedservers endpoint...