Remindsec

**Name of the Vulnerable Software and Affected Versions** Tautulli versions prior to 2.17.1 **Description** Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. The software allows remote code execution through the newsletter custom template directory feature. In a fresh installation where the setup wizard is not yet completed, all management endpoints are unauthenticated. An attacker can create a newsletter agent, direct the custom template directory to an attacker-controlled SMB share containing a malicious Mako template (a template library for Python), and trigger execution via the newsletter render endpoint without credentials or local access. In installations where credentials have been configured, this sequence can be exploited by any administrator. **Recommendations** Update to version 2.17.1.