Path Traversal Vulnerability in Tautulli for Plex Media Server
CVE-2025-58760

8.6HIGH

Key Information:

Vendor: Tautulli
Status: Tautulli
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-58760?

Tautulli, a monitoring tool for Plex Media Server, has a path traversal vulnerability in the unsecured /image API endpoint. This flaw in versions 2.15.3 and earlier allows unauthenticated attackers to access sensitive files from the server's filesystem, including the tautulli.db database, which can expose active JWT tokens and other sensitive information. Attackers can potentially escalate their privileges to gain administrative access if they manage to crack the hashed admin password or retrieve valid JWT tokens.

Affected Version(s)

Tautulli < 2.16.0

References

https://github.com/Tautulli/Tautulli/security/advisories/...

x_refsource_CONFIRM

https://github.com/Tautulli/Tautulli/commit/47566128e2e5d...

x_refsource_MISC

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Sep 4, 2025