Skip to content

Tautulli

v2.17.1 Security

This release includes 5 security fixes for security teams reviewing exposed deployments.

Published 1mo Monitoring & Metrics
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 5 known CVEs

Topics

analytics monitoring notifications plex plexpy python
+3 more
statistics stats tautulli

Summary

AI summary

CVE-2026-41065 and CVE-2026-43984 security fixes, plus Python 3.13 requirement for Windows/Mac.

Full changelog

Changelog

v2.17.1 (2026-05-04)

  • Notifications:
    • Fix: Tautulli Remote App notifications failing to send. (#2669)
    • New: Added extra type and preroll to notification parameters.
    • New: Added Simkl URL to notification parameters.
  • Newsletters:
    • Fix: Remote code execution via newsletter custom template directory. (CVE-2026-41065) (Thanks @remindsec)
  • Exporter:
    • Fix: Export failed when logo / square art keys were included. (#2685)
  • UI:
    • Fix: Error when browsing for folder paths. (#2673)
    • New: Added AV1 media flag image. (#2676) (Thanks @little0831)
    • New: Added opus media flag image.
  • Other:
    • Fix: Clean empty directories after updating using git. (#2667)
    • Fix: Tautulli failing to reconnect to Plex Media Server until restarted after a connection loss at startup. (#2640)
    • Fix: Path treversal in cache deletion API. (CVE-2026-40605) (Thanks @JakePeralta7)
    • Fix: Websocket not exiting and reconnecting cleanly after changing Plex servers.
    • Fix: Sanitize JS log errors to prevent XSS. (CVE-2026-43984) (Thanks @larlarua)
    • Fix: Do not store image hash for external images. (CVE-2026-43986) (Thanks @larlarua)
    • New: Update Windows and MacOS packages to Python 3.13.
    • New: Update Snap package to core24.
    • New: Using mounted folders for custom newsletter templates and scripts requires manually enabling allow_mounted_folders = 1 in the config file.
    • New: Added anti-CSRF tokens and enforce POST methods to state change endpoints. (CVE-2026-43985) (Thanks @larlarua)
    • New: Hash Tautulli cookie name. All existing login sessions will be invalidated after the update.
    • New: Require X-Api-Key header for login through the /auth/signin endpoint.

🛡 VirusTotal GitHub Action analysis:

Breaking Changes

  • Require X-Api-Key header for login via /auth/signin endpoint.
  • Hashing of Tautulli cookie name invalidates all existing sessions on upgrade.
  • Minimum Python version bumped to 3.13 for Windows and macOS packages.

Security Fixes

  • CVE-2026-41065 — Remote code execution via newsletter custom template directory.
  • CVE-2026-40605 — Path traversal in cache deletion API.
  • CVE-2026-43984 — XSS prevention by sanitizing JS log errors.
  • CVE-2026-43986 — Prevent storing image hash for external images.
  • CVE-2026-43985 — Added anti‑CSRF tokens and enforced POST on state change endpoints.
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Tautulli

Get notified when new releases ship.

Sign up free

About Tautulli

A Python based monitoring and tracking tool for Plex Media Server.

All releases →

Related context

Beta — feedback welcome: [email protected]