CVE-2025-58763

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-58763
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58763.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-58763
Aliases
  • GHSA-jrm9-r57q-6cvf
Published
2025-09-09T20:13:44.797Z
Modified
2026-04-10T05:32:59.564809Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Tautulli vulnerable to Authenticated Remote Code Execution via Command Injection
Details

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. A command injection vulnerability in Tautulli v2.15.3 and prior allows attackers with administrative privileges to obtain remote code execution on the application server. This vulnerability requires the application to have been cloned from GitHub and installed manually. When Tautulli is cloned directly from GitHub and installed manually, the application manages updates and versioning through calls to the git command. In the code, this is performed through the runGit function in versioncheck.py. Since shell=True is passed to subproces.Popen, this call is vulnerable to subject to command injection, as shell characters within arguments will be passed to the underlying shell. A concrete location where this can be triggered is in the checkout_git_branch endpoint. This endpoint stores a user-supplied remote and branch name into the GIT_REMOTE and GIT_BRANCH configuration keys without sanitization. Downstream, these keys are then fetched and passed directly into runGit using a format string. Hence, code execution can be obtained by using $() interpolation in a command. Version 2.16.0 contains a fix for the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-78"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/58xxx/CVE-2025-58763.json"
}
References

Affected packages

Git / github.com/tautulli/tautulli

Affected ranges

Type
GIT
Repo
https://github.com/tautulli/tautulli
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cc0150a1b2b745980467003a73aa1be51c1e426a

Affected versions

v1.*
v1.0
v1.1.0
v1.1.1
v1.1.2
v1.1.3
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.20
v1.4.21
v1.4.22
v1.4.23
v1.4.24
v1.4.25
v2.*
v2.0.0-beta
v2.0.1-beta
v2.0.10-beta
v2.0.11-beta
v2.0.12-beta
v2.0.13-beta
v2.0.14-beta
v2.0.15-beta
v2.0.16-beta
v2.0.17-beta
v2.0.18-beta
v2.0.19-beta
v2.0.2-beta
v2.0.20-beta
v2.0.21-beta
v2.0.22
v2.0.22-beta
v2.0.23-beta
v2.0.3-beta
v2.0.4-beta
v2.0.5-beta
v2.0.6-beta
v2.0.7-beta
v2.0.8-beta
v2.0.9-beta
v2.1.0-beta
v2.1.1-beta
v2.1.10-beta
v2.1.11-beta
v2.1.12
v2.1.13
v2.1.14
v2.1.16-beta
v2.1.17-beta
v2.1.18
v2.1.19-beta
v2.1.2-beta
v2.1.20
v2.1.20-beta
v2.1.21
v2.1.22
v2.1.23-beta
v2.1.24-beta
v2.1.25
v2.1.26
v2.1.27-beta
v2.1.28
v2.1.29-beta
v2.1.3-beta
v2.1.30-beta
v2.1.31
v2.1.31-beta
v2.1.32
v2.1.33
v2.1.34
v2.1.35-beta
v2.1.36-beta
v2.1.37
v2.1.38
v2.1.4
v2.1.5-beta
v2.1.6-beta
v2.1.7-beta
v2.1.8-beta
v2.1.9
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.11.0
v2.11.1
v2.12.0
v2.12.0-beta
v2.12.1
v2.12.2
v2.12.3
v2.12.4
v2.12.5
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.14.0-beta
v2.14.1-beta
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.15.0
v2.15.1
v2.15.2
v2.15.3
v2.5.0-beta
v2.5.1-beta
v2.5.2
v2.5.2-beta
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.6.0
v2.6.0-beta
v2.6.1
v2.6.10
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.0-beta
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.8.0
v2.8.0-beta
v2.8.1
v2.9.0
v2.9.0-beta
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-58763.json"