cvedb.io
CVE-2025-58763
HIGH · CVSS 8
EPSS exploitation probability: 0%
Published 2025-09-09T21:15:38.563 · Last modified 2026-06-17T09:44:53.773

Summary

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in Tautulli v2.15.3 and prior allows attackers with administrative privileges to obtain remote code execution on the application server. This vulnerability requires the application to have been cloned from GitHub and installed manually. When Tautulli is cloned directly from GitHub and installed manually, the application manages updates and versioning through calls to the `git` command. In the code, this is performed through the `runGit` function in `versioncheck.py`. Since `shell=True` is passed to `subproces.Popen`, this call is vulnerable to subject to command injection, as shell characters within arguments will be passed to the underlying shell. A concrete location where this

Affected products

tautulli — tautulli

Does this affect you?

Add your gear to cvedb and we'll alert you only when tautulli ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.