plex-mcp-server

1. **Remote Code Execution / API Injection (High Risk):** The `server_run_butler_task` tool directly interpolates the `task_name` argument into the Plex API URL (`/butler/{task_name}`) without any explicit validation or whitelisting. A malicious MCP client could exploit this to attempt accessing or triggering arbitrary, unintended endpoints on the Plex Media Server that fall under the `/butler/` path, potentially leading to unauthorized actions or unexpected server behavior. 2. **Information Disclosure (Moderate Risk):** The `media_set_artwork` tool allows specifying a `filepath` for custom artwork. If a malicious MCP client controls this `filepath` parameter, it could instruct the Plex server (via `plexapi`) to read and potentially upload arbitrary local files from the server's filesystem to Plex, leading to information disclosure of sensitive files accessible by the server process. 3. **Network Exposure (Moderate Risk):** The Server-Sent Events (SSE) server binds to `0.0.0.0` by default (`FASTMCP_HOST`). This means it listens on all available network interfaces. If deployed on a publicly accessible server without proper network segmentation or firewall rules, it would be exposed to the internet. This increases the risk of unauthorized access or attacks if the `PLEX_TOKEN` is compromised or the exposed tools are misused.