{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-10107/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-10107"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["MoviePilot v2"],"_cs_severities":["high"],"_cs_tags":["ssrf","cve-2026-10107","server-side request forgery","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMoviePilot v2 is susceptible to a server-side request forgery (SSRF) vulnerability, identified as CVE-2026-10107, within its image proxy endpoint. This flaw allows authenticated attackers to craft malicious requests targeting internal network resources. The vulnerability stems from insufficient validation of URLs, specifically the \u003ccode\u003eSecurityUtils.is_safe_url\u003c/code\u003e function, which checks domain membership against an allowlist but fails to block private, loopback, or link-local addresses. By exploiting this, attackers can bypass intended network segregation, potentially enumerating internal services such as Jellyfin, Emby, or Plex, and exfiltrating sensitive data from internal network resources. This issue poses a significant risk to the confidentiality and integrity of data within the affected network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the MoviePilot v2 application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting an internal resource (e.g., a private IP address hosting a service like Jellyfin).\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a valid \u003ccode\u003eresource_token\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the image proxy endpoint with the crafted URL and the \u003ccode\u003eresource_token\u003c/code\u003e cookie.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSecurityUtils.is_safe_url\u003c/code\u003e function checks if the domain in the crafted URL is present in the assembled allowlist but does not validate the IP address range (private, loopback, or link-local).\u003c/li\u003e\n\u003cli\u003eThe image proxy endpoint processes the request without proper validation.\u003c/li\u003e\n\u003cli\u003eThe MoviePilot server makes a request to the specified internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker receives the response from the internal resource, potentially revealing sensitive information or allowing further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability (CVE-2026-10107) could allow an attacker to enumerate internal services (Jellyfin, Emby, Plex) and potentially exfiltrate sensitive data from internal network resources. The impact includes potential disclosure of sensitive data, compromise of internal services, and further lateral movement within the network. The CVSS v3.1 base score for this vulnerability is 7.7, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect SSRF attempts by monitoring for requests to the image proxy endpoint with potentially malicious URLs targeting internal IP addresses or loopback addresses.\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule to detect potential enumeration of internal services through SSRF by monitoring requests to common service ports or paths from the MoviePilot server.\u003c/li\u003e\n\u003cli\u003eImplement stricter validation of URLs within the \u003ccode\u003eSecurityUtils.is_safe_url\u003c/code\u003e function to block private, loopback, and link-local addresses, preventing SSRF attacks.\u003c/li\u003e\n\u003cli\u003eApply network segmentation and access controls to limit the MoviePilot server\u0026rsquo;s access to only necessary internal resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T18:18:53Z","date_published":"2026-05-29T18:18:53Z","id":"https://feed.craftedsignal.io/briefs/2026-05-moviepilot-ssrf/","summary":"MoviePilot v2 is vulnerable to server-side request forgery (SSRF) in the image proxy endpoint, allowing authenticated attackers to request arbitrary URLs, enumerate internal services, and exfiltrate data from internal network resources by bypassing internal network protections.","title":"MoviePilot v2 Server-Side Request Forgery Vulnerability (CVE-2026-10107)","url":"https://feed.craftedsignal.io/briefs/2026-05-moviepilot-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-10107","version":"https://jsonfeed.org/version/1.1"}