Tautulli
Monthly
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. Publicly available exploit code exists per SSVC, and the SSVC framework rates this as automatable with total technical impact, though no CISA KEV listing has been confirmed.
Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh installations (pre-setup wizard) by abusing the newsletter custom template directory feature to load a malicious Mako template from an attacker-controlled SMB share. On completed installations the same chain remains exploitable by any authenticated admin. Publicly available exploit code exists per SSVC, and the SSVC framework rates this as automatable with total technical impact, though no CISA KEV listing has been confirmed.
Path traversal in Tautulli's cache deletion API endpoint allows authenticated low-privilege users to delete arbitrary directories outside the configured cache root, resulting in arbitrary data loss and service disruption. All Tautulli versions prior to 2.17.1 are affected; the vendor-confirmed fix is v2.17.1 (released 2026-05-04). The CVSS 4.0 E:P modifier confirms proof-of-concept exploit code exists, and no public exploit identified at time of analysis rises to CISA KEV-confirmed active exploitation.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.