Command Injection Vulnerability in Tautulli for Plex Media Server
CVE-2025-58763

8.1HIGH

Key Information:

Vendor: Tautulli
Status: Tautulli
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-58763?

Tautulli, a monitoring and tracking tool for Plex Media Server, contains a command injection vulnerability in versions up to v2.15.3. This flaw allows attackers with administrative access to execute arbitrary commands on the application server. The vulnerability arises from unsafe handling of user inputs when managing updates via the 'git' command in the 'runGit' function of 'versioncheck.py'. Specifically, malicious inputs can be injected through the 'checkout_git_branch' endpoint, where user-defined Git remote and branch names are stored. Without proper sanitization, these user-supplied values are executed unsafely, enabling potential remote code execution. Tautulli version 2.16.0 addresses this severe security issue by implementing necessary safeguards.

Affected Version(s)

Tautulli < 2.16.0

References

https://github.com/Tautulli/Tautulli/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Sep 4, 2025