CVE-2025-58762

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0

Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. An attacker with administrative access can exploit the pms image proxy endpoint to write arbitrary Python scripts into the application filesystem. This can be achieved by manipulating the img parameter and the img format parameter within a pms image proxy request, leveraging path traversal vulnerabilities to specify a desired filename. The attacker controls the Plex Media Server (PMS) and can provide arbitrary content, which is then written to the specified file. Subsequently, the attacker can utilize the Script notification agent to execute the written script, resulting in remote code execution on the application server.

Recommendations: Upgrade to version 2.16.0.