MoviePilot v2 contains a server-side request forgery (SSRF) vulnerability in its image proxy endpoint. The vulnerability allows authenticated attackers to make arbitrary requests by providing a resource_token cookie and a URL with an allowed domain. The SecurityUtils.is_safe_url function only performs domain checking without blocking private, loopback, or link-local addresses. This enables attackers to bypass internal network protections and enumerate internal services like Jellyfin, Emby, or Plex. The vulnerability can be exploited to exfiltrate data from internal network resources.