PT-2026-28791 · Tautulli+1 · Tautulli+1
Mandreko
·
Published
2026-03-28
·
Updated
2026-03-31
·
CVE-2026-32275
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Tautulli versions 1.3.10 through 2.16.9
Description
Tautulli, a Python-based monitoring tool for Plex Media Server, contains a flaw due to an unsanitized JSONP callback parameter. This allows for cross-origin script injection and potential theft of API keys. The vulnerable parameter is a JSONP callback. Exploitation of this issue could lead to unauthorized access and control of the Plex Media Server through the compromised API key.
Recommendations
Update to version 2.17.0 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Plex Media Server
Tautulli