CVE-2026-41065 – Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory

CVE ID :CVE-2026-41065

Published : June 4, 2026, 2:17 p.m. | 15 minutes ago

Description :Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9134 – Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel

CVE-2026-9109 – GPTranslate

CVE-2026-9062 – Agile Store Locator < 1.6.9 – Admin+ Arbitrary File Read via Path Traversal

CVE-2026-9061 – Agile Store Locator < 1.6.9 – Admin+ Stored XSS via logo_name