CVE-2025-58763

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0

Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. A command injection issue in the runGit function within versioncheck.py allows attackers with administrative privileges to achieve remote code execution on the application server. This requires the application to have been cloned from GitHub and installed manually. The vulnerability occurs because shell=True is passed to subproces.Popen, making the call susceptible to command injection through shell characters in arguments. The checkout git branch API endpoint is a concrete trigger point, storing user-supplied remote and branch names into the GIT REMOTE and GIT BRANCH configuration keys without sanitization, which are then passed directly into runGit using a format string. Code execution can be obtained by using $() interpolation in a command.

Recommendations: Update to Tautulli version 2.16.0 or later.