Zero Day MonitorZDM

← Back to list

4.9

CVE-2026-31799PATCHED

null · tautulli

Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "section_id" and "user_id", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0.

Affected Products

Vendor	Product	Versions
null	tautulli	>= 2.1.0-beta, < 2.17.0, <= 2.16.x

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q(x_refsource_CONFIRM)
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-31799 | Tautulli up to 2.16.x Admin API Key v2?cmd=get_home_stats section_id/user_id sql injection (GHSA-g47q-8j8w-m63q)

→ No new info (linked only)

CVSS 3.14.9 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA KEV❌ No

Actively exploited❌ No

Patch available2.17.0

CWECWE-89, CWE-20

PublishedMar 30, 2026

Last enriched2h agov2

Trending Score38

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-28505EXP

Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check

CRITICALCVE-2026-31804EXP

Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

HIGHCVE-2026-32275EXP

Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

HIGHCVE-2026-31831EXP

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

HIGHCVE-2026-34070EXP

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Patch Available

Mar 30, 2026

Updated: affectedVersions, severity, patchAvailable

Mar 30, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated vendor to Tautulli, changed severity to CRITICAL, and specified affected versions as <= 2.16.x.

affectedVersionsseveritypatchAvailable

via VulDB

v14h ago

Initial creation