Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Tautulli — Vulnerabilities & Security Advisories 14

All 14 CVE vulnerabilities found in Tautulli, with AI-generated Chinese analysis, references, and POCs.

This page catalogs known security weaknesses and vulnerabilities associated with Tautulli, a popular media activity monitoring and notification tool for Plex. It aggregates a wide range of Common Weakness Enumerations (CWE) affecting the software, including buffer overflows, injection flaws, and access control issues that have been identified by security researchers and developers. The collection covers historical data spanning from the initial release of the application through recent updates, providing a comprehensive timeline of security incidents. By reviewing this resource, users and security professionals can track vendor advisories to stay informed about critical patches and mitigations. It allows for a deeper understanding of specific weakness classes prevalent in media server add-ons and enables detailed lookups of Tautulli’s vulnerability history. This aggregation helps administrators assess the risk posture of their installation and prioritize remediation efforts based on severity and exploitability. The data is sourced from public vulnerability databases, official changelogs, and community reports, ensuring a broad coverage of both critical and low-severity issues. This resource serves as a centralized reference for evaluating the security lifecycle of the product and understanding the evolution of its defense mechanisms against emerging threats.

Vendor: Tautulli

CVE IDTitleCVSSSeverityPublished
CVE-2026-43986 Tautulli vulnerable to unauthenticated SSRF in /image/<hash> via attacker-seeded image hash replay CWE-918 9.9 Critical2026-06-04
CVE-2026-43985 Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover CWE-352 8.8 High2026-06-04
CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input CWE-79 8.9 High2026-06-04
CVE-2026-41065 Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory CWE-1336--2026-06-04
CVE-2026-40605 Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API CWE-22--2026-06-04
CVE-2026-32275 Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft CWE-79 7.6 -2026-03-30
CVE-2026-31799 Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters CWE-89 4.9 Medium2026-03-30
CVE-2026-31831 Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint CWE-23 7.5 -2026-03-30
CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server CWE-918 4.0 Medium2026-03-30
CVE-2026-28505 Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check CWE-94 9.8 -2026-03-30
CVE-2025-58763 Tautulli vulnerable to Authenticated Remote Code Execution via Command Injection CWE-78 8.1 High2025-09-09
CVE-2025-58762 Tautulli vulnerable to Authenticated Remote Code Execution via write primitive and `Script` notification agent CWE-73 9.1 Critical2025-09-09
CVE-2025-58761 Tautulli vulnerable to Unauthenticated Path Traversal in `real_pms_image_proxy` CWE-27 8.6 High2025-09-09
CVE-2025-58760 Tautulli vulnerable to Unauthenticated Path Traversal in `/image` endpoint CWE-23 8.6 High2025-09-09

All 14 known CVE vulnerabilities affecting Tautulli with full Chinese analysis, references, and POCs where available.