{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32275", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.400Z", "datePublished": "2026-03-30T19:43:06.878Z", "dateUpdated": "2026-04-01T18:24:07.476Z"}, "containers": {"cna": {"title": "Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theft", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh"}, {"name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"version": ">= 1.3.10, < 2.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:43:06.878Z"}, "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0."}], "source": {"advisory": "GHSA-95mg-wpqw-9qxh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T18:23:23.498580Z", "id": "CVE-2026-32275", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T18:24:07.476Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0."}], "id": "CVE-2026-32275", "lastModified": "2026-03-30T20:16:21.980", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:21.980", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-95mg-wpqw-9qxh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.3.10,2.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tautulli", "source": "cna", "vendor": "Tautulli"}, "product": "tautulli", "vendor": "tautulli"}], "analysis": {"en": {"generated_at": "2026-03-31T04:21:04.923727+00:00", "value": {"mitigation_remediation": ["Update Tautulli to version 2.17.0 or later", "Verify that the JSONP endpoint is no longer accessible or has proper input validation", "If upgrading immediately is not possible, restrict access to the vulnerable endpoint and monitor for anomalous activity"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site scripting that allows attackers to inject JavaScript and steal API keys"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of Tautulli from release 1.3.10 up to, but not including, version 2.17.0. Any environment running the vulnerable build that exposes the JSONP endpoint (typically the web interface) is at risk.", "description_and_impact": "Tautulli versions between 1.3.10 and before 2.17.0 contain a flaw where the JSONP callback parameter is not sanitized. An attacker can remotely supply malicious callback content that is returned directly to the client, enabling cross\u2011origin script injection. The injected script can read the user's authentication token or API key, granting the attacker full access to administrative functions and sensitive media data.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.4, indicating a high severity level. The EPSS score is not available, but the lack of public exploitation references implies a moderate exploitation probability. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by constructing a specially crafted request to the JSONP endpoint exposed over HTTP/HTTPS, leading to script execution in the context of authorized users."}}}}, "created": "2026-03-31T20:00:04.091327+00:00", "updated": "2026-03-31T20:40:16.366307+00:00", "vendors": ["tautulli", "tautulli$PRODUCT$tautulli"]}