Tautulli, a Python‑based monitoring tool for Plex Media Server, is vulnerable to remote code execution through its newsletter custom template directory feature. An attacker can create a newsletter agent and point the custom template directory to an attacker‑controlled SMB share that serves a malicious Mako template. When the newsletter render endpoint is invoked, the injected template is processed, allowing arbitrary code execution. This flaw is a CWE‑1336 – Improper Restriction of Dynamically Specified Resources. The impact is high: code execution is possible without any user interaction, and the same chain works against any authenticated administrator after setup completes.

All Tautulli installations running a version older than 2.17.1 are affected. On a fresh install before the setup wizard finishes, every management endpoint is completely unauthenticated, enabling exploitation without credentials. After the wizard, the vulnerability remains but requires admin authentication. Version 2.17.1 fixes the issue by correcting the handling of the custom template directory.

The CVSS score of 8.9 indicates a high severity vulnerability. EPSS data is not available, and the flaw is not listed in CISA KEV, but the known attack path is straightforward: an adversary can remotely supply a malicious SMB share and trigger code execution using only network access. The required attack vector is remote, with no local privileges needed. Because the flaw can be abused by unauthenticated users on new installations and by any admin on existing ones, the risk to systems that expose the management UI is significant.