Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Tautulli — Vulnerabilities & Security Advisories 14

Browse all 14 CVE security advisories affecting Tautulli. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Tautulli serves as a monitoring and analytics tool for Plex Media Server, providing insights into user activity and media consumption. Historically, it has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from improper input validation and insecure default configurations. While no major public security incidents have been widely documented, the presence of nine CVEs indicates potential risks in deployment. The application's web interface and API endpoints have been common targets, with issues ranging from information disclosure to complete system compromise when deployed with default settings or outdated versions. Proper hardening and regular updates remain critical for secure operation.

Top products by Tautulli: Tautulli
CVE IDTitleCVSSSeverityPublished
CVE-2026-43986 Tautulli vulnerable to unauthenticated SSRF in /image/<hash> via attacker-seeded image hash replay — TautulliCWE-918 9.9 Critical2026-06-04
CVE-2026-43985 Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover — TautulliCWE-352 8.8 High2026-06-04
CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input — TautulliCWE-79 8.9 High2026-06-04
CVE-2026-41065 Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory — TautulliCWE-1336--2026-06-04
CVE-2026-40605 Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API — TautulliCWE-22--2026-06-04
CVE-2026-32275 Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft — TautulliCWE-79 7.6 -2026-03-30
CVE-2026-31799 Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters — TautulliCWE-89 4.9 Medium2026-03-30
CVE-2026-31831 Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint — TautulliCWE-23 7.5 -2026-03-30
CVE-2026-31804 Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server — TautulliCWE-918 4.0 Medium2026-03-30
CVE-2026-28505 Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check — TautulliCWE-94 9.8 -2026-03-30
CVE-2025-58763 Tautulli vulnerable to Authenticated Remote Code Execution via Command Injection — TautulliCWE-78 8.1 High2025-09-09
CVE-2025-58762 Tautulli vulnerable to Authenticated Remote Code Execution via write primitive and `Script` notification agent — TautulliCWE-73 9.1 Critical2025-09-09
CVE-2025-58761 Tautulli vulnerable to Unauthenticated Path Traversal in `real_pms_image_proxy` — TautulliCWE-27 8.6 High2025-09-09
CVE-2025-58760 Tautulli vulnerable to Unauthenticated Path Traversal in `/image` endpoint — TautulliCWE-23 8.6 High2025-09-09

This page lists every published CVE security advisory associated with Tautulli. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.