cvedb.io
CVE-2025-58760
HIGH · CVSS 8.6
EPSS exploitation probability: 0%
Published 2025-09-09T20:15:49.563 · Last modified 2026-06-17T09:44:53.450

Summary

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. The `/image` API endpoint in Tautulli v2.15.3 and earlier is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. In Tautulli, the `/image` API endpoint is used to serve static images from the application's data directory to users. This endpoint can be accessed without authentication, and its intended purpose is for server background images and icons within the user interface. Attackers can exfiltrate files from the application file system, including the `tautulli.db` SQLite database containing active JWT tokens, as well as the `config.ini` file which contains the hashed admin password, the JWT token secret, and the Plex Media Server t

Affected products

tautulli — tautulli

Does this affect you?

Add your gear to cvedb and we'll alert you only when tautulli ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.