CVE-2026-40605
MEDIUMTautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API
Title source: cnaDescription
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr
X_Refsource_Misc x_refsource_misc
https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1
Scores
CVSS v4
5.7
EPSS
0.0030
EPSS Percentile
21.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-73
Status
published
Products (1)
Tautulli/Tautulli
< 2.17.1
Published
Jun 04, 2026
Tracked Since
Jun 04, 2026