Remote Code Execution Vulnerability in Tautulli for Plex Media Server
CVE-2025-58762

9.1CRITICAL

Key Information:

Vendor

Tautulli

Status
Tautulli
Vendor
CVE Published:
9 September 2025

What is CVE-2025-58762?

Tautulli, a monitoring tool for Plex Media Server, has a vulnerability that allows attackers with administrative access to exploit the pms_image_proxy endpoint. In Tautulli versions up to 2.15.3, this can lead to arbitrary file writing on the application's filesystem. By manipulating the img_format parameter, attackers can inject malicious Python scripts into the server. Once written, these scripts can be executed using Tautulli's built-in Script notification agent, granting the attacker remote code execution on the server. Users are advised to upgrade to version 2.16.0 to mitigate these risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Tautulli < 2.16.0

References

https://github.com/Tautulli/Tautulli/security/advisories/...
x_refsource_CONFIRM
https://github.com/Tautulli/Tautulli/commit/26e6b328112eb...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.