Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.
Published: 2026-03-30
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: cross-origin script injection and API key theft
Action: Immediate Patch
AI Analysis

Impact

An unsanitized JSONP callback parameter in Tautulli allows a malicious actor to inject arbitrary JavaScript into a response that other sites can execute, thereby enabling cross‑origin script injection. Because the API key is included in the JSONP payload, this technique can also lead to theft of privileged credentials that can be used to control the Plex Media Server. The weakness is a classic reflected input vulnerability and is classified as CWE‑79.

Affected Systems

The vulnerability exists in Tautulli versions from 1.3.10 up to, but not including, 2.17.0. Users running any of those releases with the JSONP API endpoint enabled are affected.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, but the EPSS score of less than one percent suggests that exploitation is currently rare. The vulnerability is not listed in CISA’s KEV catalog, implying no known widespread attacks yet. The likely attack path requires an attacker to host a malicious web page that calls the vulnerable JSONP endpoint, causing a victim to visit the page. The exploitation vector is therefore client‑side via a crafted URL, and requires a victim to load the payload in a web browser.

Generated by OpenCVE AI on April 2, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tautulli to version 2.17.0 or later.

Generated by OpenCVE AI on April 2, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tautulli
Tautulli tautulli
Vendors & Products Tautulli
Tautulli tautulli

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.
Title Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tautulli Tautulli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:24:07.476Z

Reserved: 2026-03-11T15:05:48.400Z

Link: CVE-2026-32275

cve-icon Vulnrichment

Updated: 2026-04-01T18:23:55.667Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T20:16:21.980

Modified: 2026-04-02T15:38:25.027

Link: CVE-2026-32275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:22:51Z

Weaknesses