CVE-2026-43984
W Tautulli występuje XSS, umożliwiający atakującym wykonanie kodu w przeglądarce administratora.
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue.
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.9 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-06-04 16:16:37 UTC |
| Ostatnia modyfikacja (NVD) | 2026-06-04 18:16:30 UTC |
- https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1 (security-advisories@github.com)
- https://github.com/Tautulli/Tautulli/security/advisories/GHSA-f4j7-pjwc-4jrr (security-advisories@github.com)