CVE-2026-40605 MEDIUM

CVE-2026-40605: Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API

Vendor Tautulli
Product Tautulli
Weakness CWE-22 · Path traversal
Published June 4, 2026
Last update June 4, 2026

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated