CVE-2026-43984 - Vulnerability Details

- Tautulli has stored XSS in logFile via guest-controlled log_js_errors input

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue.

Published: 2026-06-04

Score: 8.9 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Tautulli, a monitoring tool for Plex Media Server, has a vulnerability that allows any authenticated user with guest access to write attacker-controlled strings into the main application log. The administrator‑only logFile view then renders this log file into an HTML response without escaping, creating a stored cross‑site scripting condition. An attacker can inject malicious HTML or JavaScript into the log, which will execute in the administrator’s browser when the log viewer is accessed, potentially compromising administrator credentials or executing arbitrary commands.

Affected Systems

Versions of Tautulli prior to 2.17.1 are affected. The issue is present in all releases of the Tautulli product that support guest access and expose the log_js_errors endpoint.

Risk and Exploitability

The vulnerability has a CVSS score of 8.9 and is not listed in the CISA KEV catalog. No EPSS score is available, which indicates that publicly available exploitation data is lacking. The attack vector is inferred to require authenticated guest access, meaning it is not an open‑world flaw but still exploitable within an environment where guest users are enabled. Given the high severity score and the ability of a low‑privilege user to impact administrators, the risk is significant in settings where guest access is enabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tautulli

affected

Version	Status	Constraints
`< 2.17.1`	affected	—

No data.

Vendor Product Confidence Versions

Tautulli

100%

Version	Status	Scheme	Platform
`[0,2.17.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Tautulli to version 2.17.1 or later to apply the vendor patch
Disable guest access if it is not required for your operations
Ensure that only administrators can view the logFile to prevent guest users from being able to trigger the stored XSS

Generated by OpenCVE AI on June 4, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-f4j7-pjwc-4jrr

History

Thu, 04 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 04 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Tautulli Tautulli tautulli
Vendors & Products		Tautulli Tautulli tautulli

Thu, 04 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue.
Title		Tautulli has stored XSS in logFile via guest-controlled log_js_errors input
Weaknesses		CWE-79
References		https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 https://github.com/Tautulli/Tautulli/security/advisories/GHSA-f4j7-pjwc-4jrr
Metrics		cvssV3_1 `{'score': 8.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L'}`

Subscriptions

Tautulli Tautulli

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-04T14:28:11.157Z

Updated: 2026-06-04T17:04:41.170Z

Reserved: 2026-05-04T20:24:31.916Z

Link: CVE-2026-43984

Vulnrichment

Updated: 2026-06-04T17:01:00.862Z

NVD

Status : Deferred

Published: 2026-06-04T16:16:37.883

Modified: 2026-06-04T16:20:27.330

Link: CVE-2026-43984

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-04T16:30:06Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object