CVE-2026-41065

Vulnerability Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

Vulnerability Details

Published Date

June 04, 2026

Last Modified

June 04, 2026

CWE ID

CWE-1336

Source

NVD

Vendor

Tautulli

Product

Tautulli

External References

https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-68qx-mcf5-3jcp
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-68qx-mcf5-3jcp

CVE-2026-41065

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment