CVE-2026-31799

Medium CVSS: 4.9

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "section_id" and "user_id", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0.

Vendor

Tautulli

Product

Tautulli

CWE

CWE-20

Yayın Tarihi

2026-03-30 20:16:21

Güncelleme

2026-04-02 16:40:46

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Tautulli MEDIUM Tautulli 2026

Referanslar

https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q

Benzer Kayıtlar

High

CVE-2026-31831

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/…

High

CVE-2026-32275

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.1…

High

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() f…

High

CVE-2025-58763

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in Taut…

High

CVE-2025-58760

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.…

High

CVE-2025-58761

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in Ta…