216.73.217.22

CVE-2026-28505

· Published 30/03/2026 20:16 · Modified 30/03/2026 20:16

Labels: CVE-2026-28505 2026-03-30CVE-2026-28505CWE-94[email protected]

Essential information

Published
30/03/2026 20:16
Modified
30/03/2026 20:16
Author
Creator
CVSS
7.5 HIGH (v3) 7.5 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
tautulli / tautulli cpe:2.3:a:tautulli:tautulli:<2.17.0:*:*:*:*:*:*:*
plex / plex media server cpe:2.3:a:plex:plex_media_server:*:*:*:*:*:*:*:*

References