CVE-2026-31799

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "section_id" and "user_id", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0	Release Notes
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*

History

02 Apr 2026, 16:40

Type	Values Removed	Values Added
References	~~() https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 -~~	() https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 - Release Notes
References	~~() https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q -~~	() https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q - Exploit, Mitigation, Vendor Advisory
CPE		cpe:2.3:a:tautulli:tautulli::::::::
First Time		Tautulli tautulli Tautulli

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Desde la versión 2.14.2 hasta antes de la versión 2.17.0 para los parámetros 'before' y 'after', y desde la versión 2.1.0-beta hasta antes de la versión 2.17.0 para los parámetros 'section_id' y 'user_id', el endpoint /api/v2?cmd=get_home_stats pasa los parámetros de consulta section_id, user_id, before y after directamente a SQL a través del formato de cadena % de Python sin parametrización. Un atacante que posee la clave API de administrador de Tautulli puede inyectar SQL arbitrario y exfiltrar cualquier valor de la base de datos SQLite de Tautulli mediante inferencia booleana a ciegas. Este problema ha sido parcheado en la versión 2.17.0.

30 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 20:16

Updated : 2026-04-02 16:40

NVD link : CVE-2026-31799

Mitre link : CVE-2026-31799

CVE.ORG link : CVE-2026-31799

JSON object : View

Products Affected

tautulli

tautulli

CWE

CWE-20

Improper Input Validation

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

4.9 /10