Path Traversal in Tautulli

CVE-2026-31831

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files f…

EPSS: 0.001 (29.3th percentile) — read the EPSS interpretation.

Affected products

Tautulli — versions < 2.17.0

Weakness classification (CWE)

CWE-23 — Relative Path Traversal

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-xp55-2pf4-fv8m (x_refsource_CONFIRM)
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 (x_refsource_MISC)