Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 prior vulnerable to path traversal, allowing unauthenticated attackers read arbitrary files from the application server's filesystem. used fetch an image directly backing be fetched specified through `img` URL parameter, which can either or file path. There some validation ensuring that begins with prefix `interfaces/default/images` order served local However this bypassed by passing parameter valid prefix, then adjoining traversal characters reach outside of intended directories. An attacker exfiltrate on system, including `tautulli.db` SQLite database containing active JWT tokens, as well `config.ini` contains hashed admin password, token secret, Server connection details. If password cracked, if present database, escalate their privileges obtain administrative control over application. Version 2.16.0 fix issue.