CVE-2026-41065
Published: 04 June 2026
Summary
CVE-2026-41065 is a high-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability. Its CVSS base score is 8.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-34273
Vulnerability details
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 are vulnerable to remote code execution via the newsletter custom template directory feature. On a fresh install before the setup wizard is completed,…
more
all management endpoints are completely unauthenticated. An attacker can create a newsletter agent, point the custom template directory to an attacker-controlled SMB share serving a malicious Mako template, and trigger execution via the newsletter render endpoint, all with zero credentials and no local access to the target system. On a completed install with credentials configured, the same chain is exploitable by any admin. Version 2.17.1 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE on exposed web app via malicious template (T1190); Python/Mako-based code execution (T1059.006).
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.