CVE-2026-31799

Name of the Vulnerable Software and Affected Versions Tautulli versions 2.14.2 through 2.16.9 Tautulli versions 2.1.0-beta through 2.16.9

Description Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. The /api/v2?cmd=get home stats API endpoint directly passes the section id, user id, before, and after query parameters into SQL using Python %-string formatting without parameterization. An attacker with the Tautulli administrator API key can inject arbitrary SQL and extract any data from the Tautulli SQLite database using boolean-blind inference. The vulnerable parameters are section id, user id, before, and after.

Recommendations Tautulli versions 2.14.2 through 2.16.9: Upgrade to version 2.17.0 or later. Tautulli versions 2.1.0-beta through 2.16.9: Upgrade to version 2.17.0 or later.