Platform
python
Component
tautulli
Fixed in
2.17.1
CVE-2026-28505 is a Remote Code Execution (RCE) vulnerability affecting Tautulli, a Python-based monitoring tool for Plex Media Server. This vulnerability arises from an insufficient sandbox implementation within the notification template processing. Exploitation allows an attacker to execute arbitrary code on a system running vulnerable versions (≤ 2.17.0). A patch is available in version 2.17.0.
The impact of CVE-2026-28505 is significant, as it allows for complete remote code execution. An attacker who can inject a malicious notification template can gain control of the server running Tautulli. This could lead to data theft (Plex library information, user credentials), system compromise, and potentially lateral movement within the network if the Tautulli server has access to other resources. The vulnerability's reliance on notification templates means that users who customize these templates are particularly at risk. The nested code object flaw, where lambda expressions bypass the sandbox's name inspection, is a critical factor in enabling this exploitation.
CVE-2026-28505 was publicly disclosed on 2026-03-30. Currently, there are no known active campaigns exploiting this vulnerability, and no public proof-of-concept (POC) code has been released. The vulnerability is not listed on CISA KEV as of this writing. The vulnerability's complexity, requiring specific template manipulation, may limit its immediate exploitation, but it remains a significant risk.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
The primary mitigation for CVE-2026-28505 is to immediately upgrade Tautulli to version 2.17.0 or later. If upgrading is not immediately feasible due to compatibility issues or system downtime constraints, consider disabling custom notification templates as a temporary workaround. This will prevent the injection of malicious templates. Monitor Tautulli logs for any unusual activity, particularly related to notification processing. While a WAF or proxy cannot directly prevent this vulnerability, it can be configured to monitor for suspicious template content. After upgrading, confirm the fix by attempting to trigger a notification with a complex template and verifying that it does not result in code execution.
Update Tautulli to version 2.17.0 or higher. This version fixes the remote code execution vulnerability by correctly validating notification text templates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28505 is a Remote Code Execution vulnerability in Tautulli versions up to 2.17.0. It allows attackers to execute arbitrary code by crafting malicious notification templates.
You are affected if you are running Tautulli version 2.17.0 or earlier and use custom notification templates.
Upgrade Tautulli to version 2.17.0 or later. As a temporary workaround, disable custom notification templates.
As of now, there are no confirmed reports of active exploitation, but the vulnerability remains a potential risk.
Refer to the Tautulli project's official website and GitHub repository for updates and advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.