Tautulli

Changelog

v2.17.1 (2026-05-04)

• Notifications:
  • Fix: Tautulli Remote App notifications failing to send. (#2669)
  • New: Added extra type and preroll to notification parameters.
  • New: Added Simkl URL to notification parameters.
• Newsletters:
  • Fix: Remote code execution via newsletter custom template directory. (CVE-2026-41065) (Thanks @remindsec)
• Exporter:
  • Fix: Export failed when logo / square art keys were included. (#2685)
• UI:
  • Fix: Error when browsing for folder paths. (#2673)
  • New: Added AV1 media flag image. (#2676) (Thanks @little0831)
  • New: Added opus media flag image.
• Other:
  • Fix: Clean empty directories after updating using git. (#2667)
  • Fix: Tautulli failing to reconnect to Plex Media Server until restarted after a connection loss at startup. (#2640)
  • Fix: Path treversal in cache deletion API. (CVE-2026-40605) (Thanks @JakePeralta7)
  • Fix: Websocket not exiting and reconnecting cleanly after changing Plex servers.
  • Fix: Sanitize JS log errors to prevent XSS. (CVE-2026-43984) (Thanks @larlarua)
  • Fix: Do not store image hash for external images. (CVE-2026-43986) (Thanks @larlarua)
  • New: Update Windows and MacOS packages to Python 3.13.
  • New: Update Snap package to core24.
  • New: Using mounted folders for custom newsletter templates and scripts requires manually enabling allow_mounted_folders = 1 in the config file.
  • New: Added anti-CSRF tokens and enforce POST methods to state change endpoints. (CVE-2026-43985) (Thanks @larlarua)
  • New: Hash Tautulli cookie name. All existing login sessions will be invalidated after the update.
  • New: Require X-Api-Key header for login through the /auth/signin endpoint.

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.1-universal.pkg
• Tautulli-windows-v2.17.1-x64.exe