CVE-2026-32275

CriticalPublic PoC

Published: 30 March 2026

Published

30 March 2026

Modified

02 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0006 18.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32275 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Tautulli Tautulli. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates and sanitizes the unsanitized JSONP callback parameter to directly prevent cross-origin script injection exploits.

SI-15 Information Output Filtering good match

prevent

Filters information outputs to block execution of injected scripts in the victim's browser context, mitigating XSS impacts.

SI-2 Flaw Remediation good match

prevent

Identifies, reports, and corrects the flaw through timely patching, as implemented in Tautulli version 2.17.0.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

XSS in public-facing Tautulli web app directly enables remote exploitation (T1190); unsanitized JSONP callback permits arbitrary JavaScript injection/execution (T1059.007); resulting cross-origin data leakage facilitates theft of API keys/credentials (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version…

2.17.0.

Deeper analysisAI

CVE-2026-32275 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Tautulli, a Python-based monitoring and tracking tool for Plex Media Server. The flaw arises from an unsanitized JSONP callback parameter in versions 1.3.10 through 2.16.x, enabling cross-origin script injection and potential theft of API keys. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity with no requirements for privileges or user interaction.

Attackers can exploit this vulnerability remotely over the network without authentication by crafting malicious requests that leverage the JSONP callback to inject arbitrary scripts cross-origin. Successful exploitation allows theft of sensitive API keys, potentially granting unauthorized access to Tautulli functionality and associated Plex Media Server data, as well as execution of further malicious actions within the victim's browser context.

The issue has been addressed in Tautulli version 2.17.0, as detailed in the project's release notes and GitHub security advisory (GHSA-95mg-wpqw-9qxh). Security practitioners should upgrade to the patched version immediately and review exposed Tautulli instances for signs of compromise.