VYPR
Critical severity10.0NVD Advisory· Published Mar 30, 2026· Updated Apr 2, 2026

CVE-2026-28505

CVE-2026-28505

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Tautulli/Tautulli2 versions
    cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*range: <2.17.0
    • (no CPE)range: <2.17.0

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.