CVE-2026-32275

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0	Release Notes
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*

History

02 Apr 2026, 15:38

Type	Values Removed	Values Added
References	~~() https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 -~~	() https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 - Release Notes
References	~~() https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh -~~	() https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh - Exploit, Vendor Advisory
First Time		Tautulli tautulli Tautulli
CPE		cpe:2.3:a:tautulli:tautulli::::::::

01 Apr 2026, 19:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Desde la versión 1.3.10 hasta antes de la versión 2.17.0, un parámetro de callback JSONP no saneado permite la inyección de scripts de origen cruzado y el robo de claves API. Este problema ha sido parcheado en la versión 2.17.0.

30 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 20:16

Updated : 2026-04-02 15:38

NVD link : CVE-2026-32275

Mitre link : CVE-2026-32275

CVE.ORG link : CVE-2026-32275

JSON object : View

Products Affected

tautulli

tautulli

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-32275", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.4, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-30T20:16:21.980", "references": [{"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Desde la versi\u00f3n 1.3.10 hasta antes de la versi\u00f3n 2.17.0, un par\u00e1metro de callback JSONP no saneado permite la inyecci\u00f3n de scripts de origen cruzado y el robo de claves API. Este problema ha sido parcheado en la versi\u00f3n 2.17.0."}], "lastModified": "2026-04-02T15:38:25.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6AF7C20-CCD3-4755-B349-6579668258D6", "versionEndExcluding": "2.17.0", "versionStartIncluding": "1.3.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}