CVE-2025-58762
CVE-2025-58762 is a critical-severity vulnerability in Tautulli with a CVSS 3.x base score of 9.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-73.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- EPSS exploit prediction: 1% (51st percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2025-27467
- Weakness: CWE-73
- Affected product: Tautulli
- Published:
- Last modified:
Description
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to remote code execution when combined with the `Script` notification agent. If an attacker with administrative access changes the URL of the PMS to a server they control, they can then abuse the `pms_image_proxy` to obtain a file write into the application filesystem. This can be done by making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter. Tautulli then uses a hash of the desired metadata together with the `img_format` in order to construct a file path. Since the attacker controls `img_format` which occupies the end of the file path, and `img_format` is not sanitised, the attacker can then use path traversal characters to specify filename of their choosing. If the specified file does not exist, Tautaulli will then attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file. An attacker can write an arbitrary python script into a location on the application file system. The attacker can then make use of the built-in `Script` notification agent to run the local script, obtaining remote code execution on the application server. Users should upgrade to version 2.16.0 to receive a patch.
Frequently asked questions
- What is CVE-2025-58762?
- Tautulli is a Python based monitoring and tracking tool for Plex Media Server. In Tautulli v2.15.3 and earlier, an attacker with administrative access can use the `pms_image_proxy` endpoint to write arbitrary python scripts into the application filesystem. This leads to remote code execution when combined with the `Script` notification agent. If an attacker with administrative access changes the URL of the PMS to a server they control, they can then abuse the `pms_image_proxy` to obtain a file write into the application filesystem. This can be done by making a `pms_image_proxy` request with a URL in the `img` parameter and the desired file name in the `img_format` parameter. Tautulli then uses a hash of the desired metadata together with the `img_format` in order to construct a file path. Since the attacker controls `img_format` which occupies the end of the file path, and `img_format` is not sanitised, the attacker can then use path traversal characters to specify filename of their choosing. If the specified file does not exist, Tautaulli will then attempt to fetch the image from the configured PMS. Since the attacker controls the PMS, they can return arbitrary content in response to this request, which will then be written into the specified file. An attacker can write an arbitrary python script into a location on the application file system. The attacker can then make use of the built-in `Script` notification agent to run the local script, obtaining remote code execution on the application server. Users should upgrade to version 2.16.0 to receive a patch.
- How severe is CVE-2025-58762?
- CVE-2025-58762 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires high privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2025-58762 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (51st percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2025-58762?
- CVE-2025-58762 affects Tautulli. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2025-58762?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2025-58762 have an EU (EUVD) identifier?
- Yes. CVE-2025-58762 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-27467.
- When was CVE-2025-58762 published?
- CVE-2025-58762 was published on 2025-09-09 and last updated on 2026-06-17.
References
- https://github.com/Tautulli/Tautulli/commit/26e6b328112eb2cf35c164f981e0718f3a3d31a7
- https://github.com/Tautulli/Tautulli/security/advisories/GHSA-pxhr-29gv-4j8v
Affected products (1)
- cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*
More vulnerabilities in Tautulli
- CVE-2026-28505 — Critical (CVSS 10.0): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval()…
- CVE-2026-32275 — Critical (CVSS 9.1): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version…
- CVE-2025-58761 — High (CVSS 8.6): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `real_pms_image_proxy` endpoint in…
- CVE-2025-58760 — High (CVSS 8.6): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli…
- CVE-2025-58763 — High (CVSS 8.0): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in…
- CVE-2026-31831 — High (CVSS 7.5): Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the…
Other CWE-73 vulnerabilities
- CVE-2025-71338 — Critical (CVSS 10.0): Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows…
- CVE-2026-39907 — Critical (CVSS 10.0): Unisys WebPerfect Image Suite versions 3.0.3960.22810 and 3.0.3960.22604 expose an unauthenticated WCF SOAP endpoint on…
- CVE-2026-27211 — Critical (CVSS 10.0): Cloud Hypervisor is a Virtual Machine Monitor for Cloud workloads. Versions 34.0 through 50.0 arevulnerable to…
- CVE-2025-71334 — Critical (CVSS 9.8): Flowise before 3.0.6 (affected versions 2.2.8 and earlier) contains an arbitrary file access vulnerability due to…
- CVE-2025-71333 — Critical (CVSS 9.8): Flowise through 2.2.4 contains an unauthenticated arbitrary file upload vulnerability in the /api/v1/attachments…
- CVE-2026-39006 — Critical (CVSS 9.8): An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath…