Vulnerability Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Tautulli | Tautulli | < 2.17.0 |
Related Weaknesses (CWE)
References
- https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0Release Notes
- https://github.com/Tautulli/Tautulli/security/advisories/GHSA-m62j-gwm9-7p8mExploitVendor Advisory
FAQ
What is CVE-2026-28505?
CVE-2026-28505 is a vulnerability with a CVSS score of 10.0 (CRITICAL). Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notificatio...
How severe is CVE-2026-28505?
CVE-2026-28505 has been rated CRITICAL with a CVSS base score of 10.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-28505?
Check the references section above for vendor advisories and patch information. Affected products include: Tautulli Tautulli.