CVE-2026-41065

Tautulli is a Python based monitoring and tracking tool for Plex Media Server

Published: 2026-06-04 · Last updated: 2026-06-04

Severity and scoring

CWE: CWE-1336

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

Source: NVD

References

Related CVEs

Same CWE

CVE-2026-34906 — Server-Side Template Injection (SSTI) in Wirtualna Uczelnia allows an unauthenticated attacker to perform Remote Code Execution (RCE)
CVE-2026-42252 — Apache Airflow's official documentation at `core-concepts/dag-run.html` ("Passing Parameters when triggering Dags") showed a verbatim `Ba... (9.1 CRITICAL)
CVE-2026-45697 — Formie is a Craft CMS plugin for creating forms (9.8 CRITICAL)
CVE-2026-49382 — In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin (4.5 MEDIUM)
CVE-2026-45312 — RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine (9.9 CRITICAL)