VYPR
High severity7.7NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-10107

CVE-2026-10107

Description

MoviePilot v2 contains a server-side request forgery vulnerability in the image proxy endpoint that allows authenticated attackers to request arbitrary URLs by supplying a resource_token cookie and a URL whose domain matches the assembled allowlist. Attackers can bypass internal network protections because the SecurityUtils.is_safe_url function performs only domain-membership checking without blocking private, loopback, or link-local addresses, enabling enumeration of internal services such as Jellyfin, Emby, or Plex and exfiltration of data from internal network resources.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Jxxghp/Moviepilotreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.13.2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.