Cross-Origin Scripting Vulnerability in Tautulli for Plex Media Server
CVE-2026-32275

7.4HIGH

Key Information:

Vendor: Tautulli
Status: Tautulli
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-32275?

Tautulli, a popular monitoring tool for Plex Media Server, has a vulnerability due to an unsanitized JSONP callback parameter that could permit cross-origin script injection. This flaw, which exists in versions 1.3.10 through 2.16.9, exposes users to the risk of API key theft and unauthorized access to sensitive information. The vulnerability has been addressed and patched in Tautulli version 2.17.0.

Affected Version(s)

Tautulli >= 1.3.10, < 2.17.0

References

https://github.com/Tautulli/Tautulli/security/advisories/...

x_refsource_CONFIRM

https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0

x_refsource_MISC

CVSS V4

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 11, 2026

CVE-2026-32275 Data

JSON