What is the CVSS score of CVE-2025-58760?

CVE-2025-58760 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.2%.

Which versions of Python are affected by CVE-2025-58760?

Organizations using Tautulli face significant risk from CVE-2025-58760 rated CVSS 8.6.. A patch is available.

Is there a public PoC exploit available for CVE-2025-58760?

Yes, a public proof-of-concept exploit is available for CVE-2025-58760. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-58760?

Within 7 days: Identify all affected systems running Tautulli and apply vendor patches promptly. Vendor patch is available.

Python CVE-2025-58760

HIGH

Relative Path Traversal (CWE-23)

2025-09-09 security-advisories@github.com

Python Path Traversal Tautulli

8.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:11 vuln.today

Patch released

Mar 28, 2026 - 19:11 nvd

Patch available

PoC Detected

Sep 18, 2025 - 17:30 vuln.today

Public exploit code

CVE Published

Sep 09, 2025 - 20:15 nvd

HIGH 8.6

DescriptionNVD

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The /image API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In Tautulli, the /image API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the tautulli.db SQLite database containing active JWT tokens, as well as the config.ini file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue.

AnalysisAI

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified under CWE-23. Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The /image API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In Tautulli, the /image API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the tautulli.db SQLite database containing active JWT tokens, as well as the config.ini file which contains the hashed admin password, the JWT token secret, and the Plex Media Server token and connection details. If the password is cracked, or if a valid JWT token is present in the database, an unauthenticated attacker can escalate their privileges to obtain administrative control over the application. Version 2.16.0 contains a fix for the issue. Affected products include: Tautulli. Version information: Version 2.16.0.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More from same product – last 7 days

CVE-2026-43986 CRITICAL Act Now

9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T

CVE-2026-47731 CRITICAL Act Now

9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to

CVE-2026-48031 CRITICAL Act Now

9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

CVE-2026-41065 HIGH This Week

8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst

CVE-2026-43984 HIGH This Week

8.9 Jun 04

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu

CVE-2025-58760 vulnerability details – vuln.today

Back

Python CVE-2025-58760

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code