Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.
Published: 2026-03-30
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting that allows attackers to inject JavaScript and steal API keys
Action: Immediate Patch
AI Analysis

Impact

Tautulli versions between 1.3.10 and before 2.17.0 contain a flaw where the JSONP callback parameter is not sanitized. An attacker can remotely supply malicious callback content that is returned directly to the client, enabling cross‑origin script injection. The injected script can read the user's authentication token or API key, granting the attacker full access to administrative functions and sensitive media data.

Affected Systems

The vulnerability affects installations of Tautulli from release 1.3.10 up to, but not including, version 2.17.0. Any environment running the vulnerable build that exposes the JSONP endpoint (typically the web interface) is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating a high severity level. The EPSS score is not available, but the lack of public exploitation references implies a moderate exploitation probability. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by constructing a specially crafted request to the JSONP endpoint exposed over HTTP/HTTPS, leading to script execution in the context of authorized users.

Generated by OpenCVE AI on March 31, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tautulli to version 2.17.0 or later
  • Verify that the JSONP endpoint is no longer accessible or has proper input validation
  • If upgrading immediately is not possible, restrict access to the vulnerable endpoint and monitor for anomalous activity

Generated by OpenCVE AI on March 31, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Tautulli
Tautulli tautulli
Vendors & Products Tautulli
Tautulli tautulli

Mon, 30 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.
Title Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.4, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Tautulli Tautulli
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:24:07.476Z

Reserved: 2026-03-11T15:05:48.400Z

Link: CVE-2026-32275

cve-icon Vulnrichment

Updated: 2026-04-01T18:23:55.667Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-03-30T20:16:21.980

Modified: 2026-04-01T19:16:31.723

Link: CVE-2026-32275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:40:16Z

Weaknesses