CRITICALCVE-2026-32275Published 2026-03-30Modified 2026-04-01CNA GitHub_M

CVE-2026-32275: Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Tautulli / Tautulli
>= 1.3.10, < 2.17.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0

Metrics