CVE-2026-40605 | Tautulli is a Python based monitoring and tracking tool for … | CVSS 5.7 MEDIUM

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.

Metadata

CVE ID: CVE-2026-40605
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-14 14:07 UTC
Published: 2026-06-04 12:50 UTC
Last updated: 2026-06-04 15:06 UTC
Primary CWE: CWE-22
CWE-22: Improper Limitation of a Pathname to a Restricted Di…
Vendor / Product: Tautulli / Tautulli
Sources: cve.org · NVD

Severity & Metrics

5.7 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Tautulli	Tautulli	—	< 2.17.1

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-73	cna	CWE-73: External Control of File Name or Path

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.7	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

References (2)

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1