CVE-2026-43984
Description
Tautulli versions before 2.17.1 allow low-privilege users to inject JavaScript into logs, which executes when an admin views them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tautulli versions before 2.17.1 allow low-privilege users to inject JavaScript into logs, which executes when an admin views them.
Vulnerability
Tautulli, a monitoring tool for Plex Media Server, versions prior to 2.17.1 contain a stored cross-site scripting vulnerability. The log_js_errors endpoint, accessible by any authenticated user including guests if guest access is enabled, writes attacker-controlled strings directly into the application log. This vulnerability exists because the administrator-only logFile view reads this log and embeds its content into an HTML response without proper escaping [1].
Exploitation
An attacker with guest access or any other non-administrative authenticated account can exploit this vulnerability. The attacker needs to send a crafted message to the log_js_errors endpoint. This message will be written to the application log. The vulnerability is triggered when an administrator accesses the logFile page, which renders the log content, including the injected malicious HTML or JavaScript, directly into the browser [1].
Impact
Successful exploitation allows a low-privilege guest user to inject HTML or JavaScript into the application log. When an administrator views the log file, this injected script will execute within the administrator's browser. This can lead to session hijacking, unauthorized actions performed on behalf of the administrator, or further compromise of the Tautulli instance and potentially the underlying system, depending on the administrator's privileges [1].
Mitigation
Tautulli version 2.17.1, released on 2026-05-04, addresses this vulnerability by sanitizing JavaScript log errors [2]. Users are advised to update to version 2.17.1 or later to fix this issue.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
2283fce9e9d6bSet Plex Admin default enabled
2 files changed · +1 −2
data/interfaces/default/welcome.html+0 −1 modified@@ -101,7 +101,6 @@ <h3>Authentication</h3> </div> </div> </div> - <input type="hidden" class="form-control" name="http_plex_admin" id="http_plex_admin" value="1"> <input type="hidden" id="authentication_valid" data-validate="validateAuthentication" value=""> <span style="display: none;" id="authentication-status"></span> </div>
plexpy/config.py+1 −1 modified@@ -132,7 +132,7 @@ def bool_int(value): 'HTTP_PROXY': (int, 'General', 0), 'HTTP_ROOT': (str, 'General', ''), 'HTTP_USERNAME': (str, 'General', ''), - 'HTTP_PLEX_ADMIN': (int, 'General', 0), + 'HTTP_PLEX_ADMIN': (int, 'General', 1), 'HTTP_BASE_URL': (str, 'General', ''), 'HTTP_RATE_LIMIT_ATTEMPTS': (int, 'General', 10), 'HTTP_RATE_LIMIT_ATTEMPTS_INTERVAL': (int, 'General', 300),
86621d989b62Don't save Plex Pass flag when getting PMS update params
1 file changed · +0 −4
plexpy/plextv.py+0 −4 modified@@ -830,13 +830,9 @@ def get_plexpass_status(self): return False if subscription and helpers.get_xml_attr(subscription[0], 'active') == '1': - plexpy.CONFIG.__setattr__('PMS_PLEXPASS', 1) - plexpy.CONFIG.write() return True else: logger.debug("Tautulli PlexTV :: Plex Pass subscription not found.") - plexpy.CONFIG.__setattr__('PMS_PLEXPASS', 0) - plexpy.CONFIG.write() return False def get_devices_list(self):
Vulnerability mechanics
Root cause
"A privilege boundary mismatch allows low-privilege users to write to the application log, which is then rendered unescaped by an administrator-only view."
Attack vector
An attacker with guest access or any non-administrator authenticated account can exploit this vulnerability. The attacker sends a crafted GET request to the `/log_js_errors` endpoint, injecting HTML or JavaScript within the `message` parameter. This payload is written directly into the application's log file. The vulnerability is triggered when an administrator later accesses the `/logFile` page, causing the injected script to execute within the administrator's browser context [ref_id=1].
Affected code
The vulnerability resides in the `log_js_errors` function within `plexpy/webserve.py`, which accepts attacker-controlled input and writes it to the log. The `logFile` function in the same file reads this log and embeds its content into an HTML response without proper sanitization, leading to the stored XSS [ref_id=1].
What the fix does
Version 2.17.1 addresses this vulnerability by ensuring that user-supplied input is properly escaped before being written to the log file. This prevents malicious HTML or JavaScript from being stored in the log. Consequently, when the administrator views the log file, the previously injected content is rendered as plain text, and no script execution occurs [patch_id=4822913, patch_id=4822914].
Preconditions
- configTautulli must be configured to allow guest access, or the attacker must possess any authenticated non-admin account.
- authAttacker must have guest or non-administrator authenticated access.
- inputAttacker must be able to send a request to the `log_js_errors` endpoint with a malicious payload in the `message` parameter.
Reproduction
1. Authenticate as a guest or other non-admin user. 2. Send a request to `/log_js_errors?page=home&message=%3Cscript%3Ealert(document.domain)%3C/script%3E&file=app.js&line=1`. 3. Wait for an administrator to open the `/logFile?logfile=tautulli` page. 4. The JavaScript payload will execute in the administrator's browser.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.