Skip to content

Release history

Tautulli releases

A Python based monitoring and tracking tool for Plex Media Server.

Back to tool Latest release

All releases

3 shown

v2.17.1 Breaking risk
⚠ Upgrade required
  • Enable allow_mounted_folders = 1 in the config file to use mounted folders for custom newsletter templates and scripts.
  • All existing login sessions will be invalidated after upgrading due to cookie name hashing.
Breaking changes
  • Require X-Api-Key header for login via /auth/signin endpoint.
  • Hashing of Tautulli cookie name invalidates all existing sessions on upgrade.
  • Minimum Python version bumped to 3.13 for Windows and macOS packages.
Security fixes
  • CVE-2026-41065 — Remote code execution via newsletter custom template directory.
  • CVE-2026-40605 — Path traversal in cache deletion API.
  • CVE-2026-43984 — XSS prevention by sanitizing JS log errors.
Notable features
  • Added extra type and preroll fields to notification parameters.
  • Added Simkl URL field to notification parameters.
  • AV1 and opus media flag images added to UI.
Full changelog

Changelog

v2.17.1 (2026-05-04)

  • Notifications:
    • Fix: Tautulli Remote App notifications failing to send. (#2669)
    • New: Added extra type and preroll to notification parameters.
    • New: Added Simkl URL to notification parameters.
  • Newsletters:
    • Fix: Remote code execution via newsletter custom template directory. (CVE-2026-41065) (Thanks @remindsec)
  • Exporter:
    • Fix: Export failed when logo / square art keys were included. (#2685)
  • UI:
    • Fix: Error when browsing for folder paths. (#2673)
    • New: Added AV1 media flag image. (#2676) (Thanks @little0831)
    • New: Added opus media flag image.
  • Other:
    • Fix: Clean empty directories after updating using git. (#2667)
    • Fix: Tautulli failing to reconnect to Plex Media Server until restarted after a connection loss at startup. (#2640)
    • Fix: Path treversal in cache deletion API. (CVE-2026-40605) (Thanks @JakePeralta7)
    • Fix: Websocket not exiting and reconnecting cleanly after changing Plex servers.
    • Fix: Sanitize JS log errors to prevent XSS. (CVE-2026-43984) (Thanks @larlarua)
    • Fix: Do not store image hash for external images. (CVE-2026-43986) (Thanks @larlarua)
    • New: Update Windows and MacOS packages to Python 3.13.
    • New: Update Snap package to core24.
    • New: Using mounted folders for custom newsletter templates and scripts requires manually enabling allow_mounted_folders = 1 in the config file.
    • New: Added anti-CSRF tokens and enforce POST methods to state change endpoints. (CVE-2026-43985) (Thanks @larlarua)
    • New: Hash Tautulli cookie name. All existing login sessions will be invalidated after the update.
    • New: Require X-Api-Key header for login through the /auth/signin endpoint.

🛡 VirusTotal GitHub Action analysis:

View release on GitHub
v2.17.0 Security relevant
Breaking changes
  • Dropped Python 3.9 support, minimum is now 3.10
  • Removed get_apikey API command
Security fixes
  • CVE-2026-28505: RCE in notification text evaluation
  • CVE-2026-31831: Unauthenticated path traversal in /newsletter/image/images
  • CVE-2026-31799: SQL injection in get_home_stats API
Notable features
  • Added rating to get_home_stats API
View release on GitHub
v2.16.1 New feature
Notable features
  • Plex token expired notification trigger
  • Ace editor for newsletter text
  • DD:HH:MM and HH:MM:SS time formats
View release on GitHub

Beta — feedback welcome: [email protected]