RCE in Tautulli

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (11.1th percentile) — read the EPSS interpretation.

Affected products

Tautulli — versions < 2.17.0

Weakness classification (CWE)

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-m62j-gwm9-7p8m (x_refsource_CONFIRM)
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 (x_refsource_MISC)