CVE-2026-41065 | Tautulli is a Python based monitoring and tracking tool for … | CVSS 8.9 HIGH

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

Metadata

CVE ID: CVE-2026-41065
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-16 16:43 UTC
Published: 2026-06-04 14:17 UTC
Last updated: 2026-06-04 14:28 UTC
Primary CWE: CWE-1336
CWE-1336: Improper Neutralization of Special Elements Used i…
Vendor / Product: Tautulli / Tautulli
Sources: cve.org · NVD

Severity & Metrics

8.9 HIGH CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Tautulli	Tautulli	—	< 2.17.1

Weakness (CWE)

CWE	Source	Description
CWE-1336	cna	CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

CVSS scores (1)

Score	Severity	Version	Source	Vector
8.9	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References (2)

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-68qx-mcf5-3jcp https://github.com/Tautulli/Tautulli/security/advisories/GHSA-68qx-mcf5-3jcp
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1