Home

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.

PUBLISHED Reserved 2026-04-14 | Published 2026-06-04 | Updated 2026-06-04 | Assigner GitHub_M




MEDIUM: 5.7CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-73: External Control of File Name or Path

Product status

< 2.17.1
affected

References

github.com/...utulli/security/advisories/GHSA-fg46-xx7h-mhwr exploit

github.com/...utulli/security/advisories/GHSA-fg46-xx7h-mhwr

github.com/Tautulli/Tautulli/releases/tag/v2.17.1

cve.org (CVE-2026-40605)

nvd.nist.gov (CVE-2026-40605)

Download JSON