Cross-Site Scripting Vulnerability in Tautulli for Plex Media Server
CVE-2026-43984

8.9HIGH

Key Information:

Vendor

Tautulli

Status
Tautulli
Vendor
CVE Published:
4 June 2026

What is CVE-2026-43984?

Tautulli, a monitoring and tracking tool for Plex Media Server, contains a vulnerability that allows authenticated users, including guests, to exploit log_js_errors. This endpoint permits the injection of attacker-controlled strings into the main application log. Once an administrator accesses the log through the logFile view, the unescaped content can execute malicious HTML or JavaScript in their browser, leading to a stored cross-site scripting risk. The flaw has been addressed in version 2.17.1.

Affected Version(s)

Tautulli < 2.17.1

References

https://github.com/Tautulli/Tautulli/security/advisories/...
x_refsource_CONFIRM
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1
x_refsource_MISC

CVSS V3.1

Score:
8.9
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.