Zero Day MonitorZDM

← Back to list

7.5

CVE-2026-32275EXPLOITEDPATCHED

null · tautulli

Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft

Description

A vulnerability was found in Tautulli up to 2.16.x and classified as problematic. Impacted is an unknown function of the component JSONP Call Handler. Such manipulation leads to cross site scripting. This vulnerability is referenced as CVE-2026-32275. It is possible to launch the attack remotely.

Affected Products

Vendor	Product	Versions
null	tautulli	>= 1.3.10, < 2.17.0

References

https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh(x_refsource_CONFIRM)
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4h ago

CVE-2026-32275 | Tautulli up to 2.16.x JSONP Call cross site scripting (GHSA-95mg-wpqw-9qxh)

→ No new info (linked only)

CVSS 3.17.5 HIGH

CISA KEV❌ No

Actively exploited✅ Yes

Patch available2.17.0

CWECWE-79

PublishedMar 30, 2026

Last enriched4h agov2

Trending Score46

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-28505EXP

Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check

CRITICALCVE-2026-31804EXP

Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plex Media Server

HIGHCVE-2026-31831EXP

Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint

CRITICALCVE-2026-31799

Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters

HIGHCVE-2026-34070EXP

LangChain Core has Path Traversal vulnerabilites in legacy `load_prompt` functions

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Actively Exploited

Mar 30, 2026

Patch Available

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Updated: description, severity, cvssEstimate, activelyExploited, patchAvailable

Mar 30, 2026

Version History

v2

Last enriched 4h ago

v2Tier C4h ago

Updated vendor to Tautulli, severity to HIGH, CVSS estimate to 7.5, and noted that the vulnerability is actively exploited.

descriptionseveritycvssEstimateactivelyExploitedpatchAvailable

via VulDB

v16h ago

Initial creation