CVE-2026-28505

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28505

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28505.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28505

Aliases

GHSA-m62j-gwm9-7p8m

Published

2026-03-30T19:41:54.644Z

Modified

2026-04-10T05:41:16.915157Z

Severity

7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check

Details

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval() function in notificationhandler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the compiled code object. However, conames only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.coconsts, NOT in code.conames. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28505.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-94",
        "CWE-95"
    ]
}

References

Affected packages

Git / github.com/tautulli/tautulli

Affected ranges

Type

GIT

Repo

https://github.com/tautulli/tautulli

Events

Introduced

Fixed

5610c167a17b0898d93d0588a0df81c03306ac52

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.17.0"
        }
    ]
}

Affected versions

v1.*

v1.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.4.13

v1.4.14

v1.4.15

v1.4.16

v1.4.17

v1.4.18

v1.4.19

v1.4.20

v1.4.21

v1.4.22

v1.4.23

v1.4.24

v1.4.25

v2.*

v2.0.0-beta

v2.0.1-beta

v2.0.10-beta

v2.0.11-beta

v2.0.12-beta

v2.0.13-beta

v2.0.14-beta

v2.0.15-beta

v2.0.16-beta

v2.0.17-beta

v2.0.18-beta

v2.0.19-beta

v2.0.2-beta

v2.0.20-beta

v2.0.21-beta

v2.0.22

v2.0.22-beta

v2.0.23-beta

v2.0.3-beta

v2.0.4-beta

v2.0.5-beta

v2.0.6-beta

v2.0.7-beta

v2.0.8-beta

v2.0.9-beta

v2.1.0-beta

v2.1.1-beta

v2.1.10-beta

v2.1.11-beta

v2.1.12

v2.1.13

v2.1.14

v2.1.16-beta

v2.1.17-beta

v2.1.18

v2.1.19-beta

v2.1.2-beta

v2.1.20

v2.1.20-beta

v2.1.21

v2.1.22

v2.1.23-beta

v2.1.24-beta

v2.1.25

v2.1.26

v2.1.27-beta

v2.1.28

v2.1.29-beta

v2.1.3-beta

v2.1.30-beta

v2.1.31

v2.1.31-beta

v2.1.32

v2.1.33

v2.1.34

v2.1.35-beta

v2.1.36-beta

v2.1.37

v2.1.38

v2.1.4

v2.1.5-beta

v2.1.6-beta

v2.1.7-beta

v2.1.8-beta

v2.1.9

v2.10.0

v2.10.1

v2.10.2

v2.10.3

v2.10.4

v2.10.5

v2.11.0

v2.11.1

v2.12.0

v2.12.0-beta

v2.12.1

v2.12.2

v2.12.3

v2.12.4

v2.12.5

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.14.0-beta

v2.14.1-beta

v2.14.2

v2.14.3

v2.14.4

v2.14.5

v2.14.6

v2.15.0

v2.15.1

v2.15.2

v2.15.3

v2.16.0

v2.16.1

v2.5.0-beta

v2.5.1-beta

v2.5.2

v2.5.2-beta

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.6.0

v2.6.0-beta

v2.6.1

v2.6.10

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7.0

v2.7.0-beta

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.8.0

v2.8.0-beta

v2.8.1

v2.9.0

v2.9.0-beta

v2.9.1

v2.9.2

v2.9.3

v2.9.4

v2.9.5

v2.9.6

v2.9.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28505.json"