CVE-2026-41065
Tautulli Vulnerable to Unauthenticated/Authenticated Remote Code Execution via Newsletter Custom Template Directory
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed, all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.
| CWE | CWE-1336 |
| Vendor | tautulli |
| Product | tautulli |
| Published | Jun 4, 2026 |
| Last Updated | Jun 4, 2026 |
Get instant alerts for tautulli tautulli
Be the first to know when new unknown vulnerabilities affecting tautulli tautulli are published โ delivered to Slack, Telegram or Discord.