CVE-2026-41065 HIGH

CVE-2026-41065: Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory

Vendor Tautulli
Product Tautulli
Weakness CWE-1336
Published June 4, 2026
Last update June 4, 2026

CVSS base score

8.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 4, 2026 Record updated