HIGH🇬🇧 English

CVE-2026-28505

CVSS 7.5v4.0pub. 2026-03-30upd. 2026-04-02

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.

oryginał EN
CVSS Vector
CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Tautulli

    APP
    Tautulli
    < 2.17.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2025-58762CRITICAL9.1PL ✓ten sam produkt

Tautulli: RCE przez path traversal w endpoincie pms_image_proxy

CVE-2026-32275HIGH7.4ten sam produkt

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before v...

CVE-2026-31831HIGH8.7ten sam produkt

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /n...

CVE-2025-58763HIGH8.0ten sam produkt

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerabili...

CVE-2025-58760HIGH8.6ten sam produkt

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Ta...