HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-43984Published Modified CNA GitHub_M

CVE-2026-43984: Tautulli has stored XSS in logFile via guest-controlled log_js_errors input

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue.

Metrics

CVSS v3.1
8.9
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in Tautulli, a Python-based Plex Media Server monitoring tool, allows a low-privilege or guest user to inject malicious JavaScript into the application log via the `log_js_errors` endpoint. The injected payload is stored in the log file and executes in an administrator's browser when the log viewer is opened, requiring no further attacker interaction after the initial write. Successful exploitation gives the attacker full control over the administrator's browser session, enabling credential theft, account takeover, or further actions within Tautulli. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-43984 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Tautulli, in connected registries and CI/CD pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS 8.9 (HIGH) and is capable of weighting that score against each customer environment's compliance policy to flag affected workloads at the appropriate severity tier and route alerts to the correct team inbox within each organization.

Available
Patch

No fix version has been published upstream as of this writing; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment version 2.17.1 or later is confirmed upstream. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Tautulli service over the network to call the `log_js_errors` endpoint; the CVSS vector specifies AV:N.

  • AuthenticationRequired

    A low-privilege account is sufficient; any authenticated user, including guest users when guest access is enabled, can invoke the vulnerable endpoint (PR:L).

  • Victim interactionRequired

    An administrator must open the log viewer in their browser to trigger the stored payload, representing a required social-engineering or coincidental interaction step (UI:R).

  • Attack complexityDetail

    The exploit is reliable and requires no special race conditions or environmental setup; CVSS specifies AC:L, meaning the attacker can write and wait for the payload to execute without additional preconditions.

Blast Radius

  • An attacker reads the administrator's active Tautulli session token, enabling full account takeover without knowing credentials.
  • Injected JavaScript can exfiltrate any data visible in the administrator's browser session, including API keys, configured integrations, and Plex user data displayed in the interface.
  • The attacker can modify Tautulli settings or trigger administrative actions silently within the compromised browser session, altering monitoring configuration or notification targets.
  • Service availability is partially affected (CVSS A:L); a crafted payload can degrade or disrupt the log viewer and dependent administrative workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-43984 is active across all connected registries and pipelines, flagging any image that includes an affected Tautulli version below 2.17.1. Because no upstream fix has been published yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the upstream project ships a confirmed fix. In the interim, compensating controls worth evaluating include restricting guest access in Tautulli configuration to eliminate the lowest-privilege attack path, applying network policy to limit which internal principals can reach the Tautulli service, and ensuring the log viewer endpoint is not accessible from untrusted network segments. Where compliance policy permits, auto-remediation customers will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as the patched version is available.

See how HarborGuard automates this
Affected packages
  • Tautulli / Tautulli
    < 2.17.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
References