← back
CVE-2026-10107

MoviePilot v2 SSRF via /api/v1/system/img/{proxy} Endpoint

CVSS 7 HIGHEPSS 0.3%CWE-918
MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Affected products
jxxghp · MoviePilot

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/jxxghp/MoviePilot/commit/0b7854a0af8751160b68c43c46ded48d2bd8a212https://github.com/jxxghp/MoviePilot/issues/5823https://github.com/jxxghp/MoviePilot/releases/tag/v2.13.2https://www.vulncheck.com/advisories/moviepilot-v2-ssrf-via-api-v1-system-img-proxy-endpoint