XSS in Tautulli
CVE-2026-32275
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has bee…
Vulnerability class: XSS (Cross-Site Scripting)
EPSS: 0.000 (7.4th percentile) — read the EPSS interpretation.
Affected products
- Tautulli — versions >= 1.3.10, < 2.17.0
Weakness classification (CWE)
References
- https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh (x_refsource_CONFIRM)
- https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0 (x_refsource_MISC)