PatchSiren cyber security CVE debrief
CVE-2026-41065 Tautulli CVE debrief
CVE-2026-41065 is a high-severity remote code execution vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.
- Vendor
- Tautulli
- Product
- Unknown
- CVSS
- HIGH 8.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Administrators and users of Tautulli, especially those with versions prior to 2.17.1, should be aware of this vulnerability and take immediate action to upgrade to the latest version.
Technical summary
The vulnerability exists in the newsletter custom template directory feature of Tautulli. An attacker can exploit this vulnerability by creating a newsletter agent, pointing the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and triggering execution via the newsletter render endpoint.
Defensive priority
High
Recommended defensive actions
- Upgrade to Tautulli version 2.17.1 or later.
- Ensure that all management endpoints are properly authenticated and authorized.
- Monitor for suspicious activity and implement additional security measures to prevent exploitation.
Evidence notes
CVE-2026-41065 has a CVSS score of 8.9 and is classified as HIGH severity. The vulnerability is addressed in Tautulli version 2.17.1.
Official resources
CVE-2026-41065 was published on 2026-06-04T15:16:53.873Z and modified on 2026-06-04T16:16:37.097Z.