Zero Day MonitorZDM

← Back to list

—

CVE-2026-28505EXPLOITEDPATCHED

null · tautulli

Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check

Description

A vulnerability classified as critical has been found in Tautulli up to 2.16.x. Affected by this vulnerability is the function str_eval of the file notification_handler.py. Performing a manipulation results in code injection. This vulnerability is known as CVE-2026-28505. Remote exploitation of the attack is possible. It is recommended to upgrade the affected component.

Affected Products

Vendor	Product	Versions
null	tautulli	< 2.17.0, 2.16.x

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-m62j-gwm9-7p8m(x_refsource_CONFIRM)
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-28505 | Tautulli up to 2.16.x notification_handler.py str_eval code injection (GHSA-m62j-gwm9-7p8m)

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available2.17.0

CWECWE-94, CWE-95

PublishedMar 30, 2026

Last enriched2h agov2

Trending Score63

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-31804EXP

Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

HIGHCVE-2026-32275EXP

Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

HIGHCVE-2026-31831EXP

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

CRITICALCVE-2026-31799

Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

HIGHCVE-2026-34070EXP

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Actively Exploited

Mar 30, 2026

Patch Available

Mar 30, 2026

Updated: description, affectedVersions, severity, activelyExploited, patchAvailable

Mar 30, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated severity to CRITICAL, added vendor and product information, and specified affected versions as 2.16.x.

descriptionaffectedVersionsseverityactivelyExploitedpatchAvailable

via VulDB

v14h ago

Initial creation