CVE-2026-43984: Tautulli Stored XSS in Log Viewer – Guest Privilege Escalation
Tautulli, a Python monitoring application for Plex Media Server, contains a stored cross-site scripting (XSS) vulnerability in versions before 2.17.1. The flaw allows low-privilege users—including guest accounts when enabled—to inject malicious code into application logs via an unauthenticated endpoint. When an administrator views the logs, the injected code executes in their browser without restriction, giving attackers control within the admin's session. This is a privilege escalation and lateral attack vector that requires only guest-level access to trigger.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.9 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose `log_js_errors` to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The administrator-only `logFile` view then reads that log file and embeds it into an HTML response without escaping. This creates a stored cross-site scripting condition where a low-privilege guest can inject HTML or JavaScript into the log file and have it execute in an administrator's browser when the log viewer is opened. Version 2.17.1 patches the issue.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability chain involves two components: first, the `log_js_errors` endpoint accepts attacker-controlled input from authenticated users (including guests) and writes it unsanitized to the application log file. Second, the administrator-only `logFile` view reads that log file and renders it in an HTML response without HTML entity encoding or Content Security Policy enforcement. This creates a stored XSS condition where malicious JavaScript injected by a guest persists in the log and executes when an administrator accesses the log viewer. The attack vector is network-based with low attack complexity, low privileges required, but does depend on user interaction (an admin must open the log viewer).
Business impact
For organizations running Plex Media Server with Tautulli monitoring and guest access enabled, this vulnerability poses a significant insider threat and privilege escalation risk. An attacker with guest credentials—or anyone who can obtain them—can compromise administrative sessions and potentially pivot to modify monitoring rules, access sensitive metadata about stored media, or perform further reconnaissance of the Plex infrastructure. The persistence of the payload in logs increases dwell time and complicates incident response. Organizations that rely on Tautulli for compliance or security monitoring may also face audit complications if logs become contaminated with malicious content.
Affected systems
Tautulli versions prior to 2.17.1 are affected. The vulnerability is particularly relevant to deployments where guest access is enabled, as guest accounts have sufficient privilege to access the `log_js_errors` endpoint. Standalone Tautulli installations, containerized deployments (Docker), and integrated Plex ecosystems are all in scope. Organizations that have disabled guest access face reduced but non-zero risk if internal users have been compromised or if the application is exposed to untrusted networks.
Exploitability
Exploitability is moderate to high. An attacker needs only guest-level credentials or the ability to create a guest account (if guest registration is open). Crafting the XSS payload requires basic HTML/JavaScript knowledge but no special tooling. The attack is reliable once the payload is logged, as the stored nature guarantees execution whenever an admin views logs. However, the attack does require user interaction—the administrator must actively open the log viewer—which is a common administrative action but not automatic. No CVSS evidence of active exploitation or proof-of-concept publication has been identified.
Remediation
Upgrade Tautulli to version 2.17.1 or later immediately. If immediate patching is not feasible, implement network-level controls: restrict access to Tautulli to trusted IP ranges, disable guest access if operationally feasible, and segregate Tautulli on a separate VLAN from sensitive systems. Monitor for suspicious entries in logs that contain script tags or JavaScript payloads. Regularly audit user access logs and guest account activity. After patching, review historical logs for evidence of injected content and rotate any administrative credentials that may have been harvested.
Patch guidance
Consult the official Tautulli GitHub releases page and security advisories for version 2.17.1 and any superseding patches. If running a containerized Tautulli deployment, pull the latest image tag corresponding to 2.17.1 or higher. Test the patch in a non-production environment first, as application updates may require configuration validation or cache clearing. Verify the patch application by confirming the version number in Tautulli's settings page and by testing that the `log_js_errors` endpoint properly sanitizes input (a manual input test with `<script>alert(1)</script>` should not execute when logs are viewed).
Detection guidance
Search application logs for HTML entities, script tags, or suspicious JavaScript payloads in entries that should contain only error messages. Monitor for unusual administrator log-viewer access patterns that correlate with guest account activity. Implement Web Application Firewall (WAF) rules to detect and log attempts to POST data containing encoded script tags or event handlers to the `log_js_errors` endpoint. Set up alerts for any modifications to log files outside of normal application writes. In SIEM platforms, correlate guest account logins with subsequent administrator session activity and log-viewer access.
Why prioritize this
This vulnerability merits immediate priority due to its combination of high CVSS score (8.9), stored payload persistence, and cross-session impact. Unlike reflected XSS, the malicious content remains in logs indefinitely, creating a time-delayed attack surface. The low barrier to entry (guest credentials) combined with high-impact targets (administrator sessions) makes it attractive to both opportunistic and targeted attackers. The requirement for admin interaction is the primary mitigating factor, but does not substantially reduce risk in typical deployments where log review is routine.
Risk score, explained
The CVSS 3.1 score of 8.9 (HIGH) reflects: network-based attack vector, low attack complexity, low privileges required to exploit, and scope change (guest session to admin session). Confidentiality and integrity impacts are rated high due to the ability to steal session tokens or execute commands within the admin context. Availability impact is rated low because the attack does not directly disrupt system availability, though it could cause performance degradation if logs grow large from injected content. The score appropriately captures the severity of privilege escalation and cross-session compromise, though the user interaction requirement (admin must open logs) prevents a CRITICAL rating.
Frequently asked questions
If we have guest access disabled, are we safe?
Mostly, but not entirely. With guest access disabled, only authenticated internal users can reach the vulnerable endpoint. However, if any internal account is compromised or if the Tautulli instance is accessible from an untrusted network, the risk remains. Upgrade to 2.17.1 regardless, as it hardens the endpoint against all authenticated users.
Does patching require any configuration changes or downtime?
Version 2.17.1 should be a drop-in upgrade. Review the official changelog for any breaking changes, but typically no configuration migration is needed. Plan a brief maintenance window for testing; downtime can be minimized to seconds for most deployments. Test in a staging environment first if you have one.
Can we detect if this vulnerability has been exploited in our logs?
Yes. Search your Tautulli logs for entries that contain `<`, `>`, `javascript:`, or common XSS patterns like `alert(`, `onerror=`, or `onload=`. Pay particular attention to `log_js_errors` entries from guest accounts. If found, assume administrative sessions may have been compromised and rotate admin passwords and API tokens as a precaution.
Is there a temporary workaround if we cannot patch immediately?
The safest interim measure is to disable guest access entirely. If that is not operationally feasible, restrict Tautulli network access to a trusted IP allowlist and monitor guest account activity closely. Do not rely on application-level fixes alone; network segmentation and credential rotation are equally important during the patch window.
This analysis is based on public vulnerability data as of the publication date. Vendor advisories, patch availability, and exploitation status may change. Always verify patch versions and compatibility against official vendor documentation before deployment. SEC.co makes no warranty regarding the completeness or timeliness of this intelligence. Organizations should conduct their own risk assessment based on their specific Tautulli deployment configuration and network environment. If you have deployed Tautulli in production, prioritize patching and log review immediately. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-11262HIGHLink Whisper Free Stored XSS Vulnerability – Analysis & Patch Guidance
- CVE-2025-14773HIGHABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment
- CVE-2025-15654HIGHFox-themes Prague Reflected XSS Vulnerability – CVSS 7.1 (HIGH)
- CVE-2025-52759HIGHReflected XSS in UnboundStudio Accordion FAQ Plugin (Versions ≤2.2.1)
- CVE-2025-67448HIGHNeterbit NW-431F Router SMS Stored XSS Vulnerability (CVSS 7.1)
- CVE-2026-2374HIGHLogin No Captcha reCAPTCHA WordPress Plugin Stored XSS Vulnerability
- CVE-2026-24751HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)
- CVE-2026-24752HIGHKiteworks Reflected XSS in Secure Data Forms (CVSS 8.2)