Which versions of Tautulli are affected by EUVD-2026-34273?

Tautulli versions prior to 2.17.1 are vulnerable to unauthenticated remote code execution on pre-setup systems and authenticated RCE on configured installations (CVE-2026-41065, CVSS 8.9).. A patch is available.

How to fix or mitigate EUVD-2026-34273?

Within 24 hours: Conduct an inventory of all Tautulli deployments and their configuration status; immediately isolate or restrict network access to any pre-setup instances. Within 7 days: Upgrade all Tautulli installations to version 2.17.1 or later. Within 30 days: Implement network segmentation to limit Tautulli access to administrative networks only, review audit logs for exploitation attempts, and deploy monitoring for SMB share access patterns from Tautulli systems.

Tautulli EUVD-2026-34273

Q: What is the CVSS score of EUVD-2026-34273?

EUVD-2026-34273 has a CVSS 4.0 base score of 8.9 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

| CVE-2026-41065 HIGH

Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)

2026-06-04 GitHub_M

Python Ssti RCE Tautulli

8.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

Jun 04, 2026 - 16:50 vuln.today

Analysis Generated

Jun 04, 2026 - 16:50 vuln.today

Patch available

Jun 04, 2026 - 16:16 EUVD

CVSS changed

Jun 04, 2026 - 15:22 NVD

8.9 (HIGH)

CVE Published

Jun 04, 2026 - 14:17 nvd

UNKNOWN (no severity yet)

DescriptionNVD

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

AnalysisAI

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed Tautulli pre-setup

Delivery

Create newsletter agent unauthenticated

Exploit

Point template dir to attacker SMB share

Execution

Trigger newsletter render endpoint

Persist

Mako template executes Python payload

Impact

RCE as Tautulli service account