A critical vulnerability, CVE-2026-43986, was discovered in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The vulnerability has a CVSS score of 9.9 and is classified as CRITICAL. It allows a low-privilege guest user to seed a malicious external image URL into the lookup table and then trigger server-side fetches through a fully unauthenticated endpoint, effectively turning a [truncated]
CVE-2026-43984 is a stored cross-site scripting vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads th [truncated]
CVE-2026-41065 is a high-severity remote code execution vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a [truncated]
CVE-2026-40605 is a path traversal vulnerability in Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, an authenticated API access can delete directories outside the configured cache path, leading to arbitrary data loss and service disruption. The vulnerability has a CVSS score of 5.7 and is classified as MEDIUM severity. The issue was fixed in version 2.17.1.
