Skip to main content

Tautulli CVE-2026-43984

| EUVD-2026-34284 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-04 GitHub_M
XSS Python
8.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 04, 2026 - 17:16 EUVD
Source Code Evidence Fetched
Jun 04, 2026 - 16:15 vuln.today
Analysis Generated
Jun 04, 2026 - 16:15 vuln.today

DescriptionNVD

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose log_js_errors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only logFile view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue.

AnalysisAI

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when guest access is enabled) to inject HTML/JavaScript into the main application log via the log_js_errors endpoint, which later executes in an administrator's browser when the admin opens the logFile viewer. The flaw enables privilege escalation against the Plex Media Server monitoring tool's admin account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege/guest Tautulli account
Delivery
Submit malicious payload to log_js_errors endpoint
Exploit
Payload persisted unsanitized in application log
Execution
Administrator opens logFile viewer
Persist
Stored XSS executes in admin browser
Impact
Steal admin session or invoke privileged APIs
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Tautulli account - this can be a guest user, but only when the administrator has explicitly enabled guest access in Tautulli; otherwise a standard low-privilege user account is needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L (8.9) reflects network reachability, low attack complexity, low-privilege authentication (a guest account suffices where guest access is enabled), required user interaction (an admin must open the log viewer), and a scope change yielding high confidentiality and integrity impact on the admin context. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a guest or low-privilege Tautulli account submits a crafted JavaScript error payload to the log_js_errors endpoint containing HTML/JS such as a script tag that exfiltrates the admin session cookie or invokes authenticated API actions. The payload is persisted into the main application log; when an administrator later opens the logFile view, the unescaped content executes in the admin's browser within the admin's session, enabling cookie theft, configuration changes, or further pivot into the linked Plex environment.
Remediation Vendor-released patch: upgrade Tautulli to version 2.17.1 or later, which sanitizes JS log errors before they are written to the main application log (see https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 and advisory https://github.com/Tautulli/Tautulli/security/advisories/GHSA-f4j7-pjwc-4jrr). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Tautulli instances, identify current versions, and disable guest access if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-43986 CRITICAL
9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T
CVE-2026-5241 CRITICAL
9.6 Jun 03

Remote code execution in Hugging Face Transformers 5.2.0 allows a malicious model repository to bypass the user's explic
CVE-2026-47731 CRITICAL
9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to
CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-11393 HIGH
8.8 Jun 08

Remote code execution in AWS AgentCore CLI before v0.14.2 allows authenticated attackers to inject Python code via craft

Share

CVE-2026-43984 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy