CVE-2026-31799

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-31799
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31799.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31799
Aliases
  • GHSA-g47q-8j8w-m63q
Published
2026-03-30T19:42:56.714Z
Modified
2026-04-10T05:42:07.969352Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters
Details

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "sectionid" and "userid", the /api/v2?cmd=gethomestats endpoint passes the sectionid, userid, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31799.json",
    "cwe_ids": [
        "CWE-20",
        "CWE-89"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tautulli/tautulli

Affected ranges

Type
GIT
Repo
https://github.com/tautulli/tautulli
Events
Introduced
b144ded87bcf2f561eff40531eab6655f4270ea7
Fixed
5610c167a17b0898d93d0588a0df81c03306ac52
Database specific 
{
    "versions": [
        {
            "introduced": "2.1.0-beta"
        },
        {
            "fixed": "2.17.0"
        }
    ]
}

Affected versions

v2.*
v2.1.0-beta
v2.1.1-beta
v2.1.10-beta
v2.1.11-beta
v2.1.12
v2.1.13
v2.1.14
v2.1.16-beta
v2.1.17-beta
v2.1.18
v2.1.19-beta
v2.1.2-beta
v2.1.20
v2.1.20-beta
v2.1.21
v2.1.22
v2.1.23-beta
v2.1.24-beta
v2.1.25
v2.1.26
v2.1.27-beta
v2.1.28
v2.1.29-beta
v2.1.3-beta
v2.1.30-beta
v2.1.31
v2.1.31-beta
v2.1.32
v2.1.33
v2.1.34
v2.1.35-beta
v2.1.36-beta
v2.1.37
v2.1.38
v2.1.4
v2.1.5-beta
v2.1.6-beta
v2.1.7-beta
v2.1.8-beta
v2.1.9
v2.10.0
v2.10.1
v2.10.2
v2.10.3
v2.10.4
v2.10.5
v2.11.0
v2.11.1
v2.12.0
v2.12.0-beta
v2.12.1
v2.12.2
v2.12.3
v2.12.4
v2.12.5
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.14.0-beta
v2.14.1-beta
v2.14.2
v2.14.3
v2.14.4
v2.14.5
v2.14.6
v2.15.0
v2.15.1
v2.15.2
v2.15.3
v2.16.0
v2.16.1
v2.5.0-beta
v2.5.1-beta
v2.5.2
v2.5.2-beta
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.6.0
v2.6.0-beta
v2.6.1
v2.6.10
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.7.0
v2.7.0-beta
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.8.0
v2.8.0-beta
v2.8.1
v2.9.0
v2.9.0-beta
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31799.json"