HIGH
jxxghp
CVE published 2026-05-29
CVE-2026-10107
MoviePilot v2 contains a server-side request forgery (SSRF) vulnerability in the image proxy endpoint. The vulnerability exists because the SecurityUtils.is_safe_url function performs only domain-membership checking without validating that resolved addresses are not private, loopback, or link-local ranges. An authenticated attacker with a valid resource_token cookie can supply a URL whose domain matches t [truncated]