CVE-2026-28505

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Tautulli versions prior to 2.17.0

Description Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. Before version 2.17.0, the str eval() function within the notification handler.py file implemented a sandboxed eval() function for notification text templates. The sandbox aimed to restrict callable names by inspecting code.co names of the compiled code object. However, code.co names only contains names from the outer code object. When a lambda expression was used, it created a nested code object, and attribute accesses were stored in code.co consts, not code.co names. Consequently, the sandbox did not inspect nested code objects.

Recommendations Update Tautulli to version 2.17.0 or later.

Exploit

Fix

Code Injection

Eval Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-95

Related Identifiers

CVE-2026-28505

GHSA-M62J-GWM9-7P8M

Affected Products

Plex Media Server

Tautulli

CVE-2026-28505

Weakness Enumeration

Related Identifiers

Affected Products

References · 9