VYPR
Vendor

Tautulli

Products
1
CVEs
17
Across products
17
Status
Private

Products

1

Recent CVEs

17
  • CVE-2026-28505CriMar 30, 2026
    risk 0.58cvss 10.0epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting…

  • CVE-2026-43986CriJun 4, 2026
    risk 0.57cvss 9.9epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose a public `/image/` route that resolves attacker-controlled entries from `image_hash_lookup` and replays them through the same server-side image fetch logic used…

  • CVE-2026-32275CriMar 30, 2026
    risk 0.52cvss 9.1epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.

  • CVE-2026-43984HigJun 4, 2026
    risk 0.51cvss 8.9epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main…

  • CVE-2026-41065HigJun 4, 2026
    risk 0.51cvss epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints…

  • CVE-2026-43985HigJun 4, 2026
    risk 0.50cvss 8.8epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `configUpdate` as a state-changing administrator endpoint, but the route does not enforce `POST` and does not use any anti-CSRF token. In the default form and JWT-based…

  • CVE-2026-31831HigMar 30, 2026
    risk 0.42cvss 7.5epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem.…

  • CVE-2026-40605MedJun 4, 2026
    risk 0.30cvss epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary…

  • CVE-2026-31799MedMar 30, 2026
    risk 0.25cvss 4.9epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "section_id" and "user_id", the…

  • CVE-2026-31804MedMar 30, 2026
    risk 0.19cvss 4.0epss 0.00

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without…

  • CVE-2019-19833Dec 18, 2019
    risk 0.08cvss epss 0.15

    In Tautulli 2.1.9, CSRF in the /shutdown URI allows an attacker to shut down the remote media server. (Also, anonymous access can be achieved in applications that do not have a user login area).

  • CVE-2025-58763Sep 9, 2025
    risk 0.00cvss epss 0.02

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in Tautulli v2.15.3 and prior allows attackers with administrative privileges to obtain remote code execution on the application server. This vulnerability requires…

  • CVE-2025-58762Sep 9, 2025
    risk 0.00cvss epss 0.01

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to remote…

  • CVE-2025-58761Sep 9, 2025
    risk 0.00cvss epss 0.01

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Tautulli v2.15.3 and prior is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem.…

  • CVE-2025-58760Sep 9, 2025
    risk 0.00cvss epss 0.01

    Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In…

  • CVE-2018-21031Nov 18, 2019
    risk 0.00cvss epss 0.02

    Tautulli versions 2.1.38 and below allows remote attackers to bypass intended access control in Plex Media Server because the X-Plex-Token is mishandled and can be retrieved from Tautulli. NOTE: Initially, this id was associated with Plex Media Server 1.18.2.2029-36236cc4c as…

  • CVE-2019-8939Feb 19, 2019
    risk 0.00cvss epss 0.01

    data/interfaces/default/history.html in Tautulli 2.1.26 has XSS via a crafted Plex username that is mishandled when constructing the History page.