CVE-2026-28505

Name of the Vulnerable Software and Affected Versions Tautulli versions prior to 2.17.0

Description Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. Before version 2.17.0, the str eval() function within the notification handler.py file implemented a sandboxed eval() function for notification text templates. The sandbox aimed to restrict callable names by inspecting code.co names of the compiled code object. However, code.co names only contains names from the outer code object. When a lambda expression was used, it created a nested code object, and attribute accesses were stored in code.co consts, not code.co names. Consequently, the sandbox did not inspect nested code objects.

Recommendations Update Tautulli to version 2.17.0 or later.