{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31799", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T16:33:42.913Z", "datePublished": "2026-03-30T19:42:56.714Z", "dateUpdated": "2026-03-30T20:17:35.823Z"}, "containers": {"cna": {"title": "Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q"}, {"name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"version": ">= 2.1.0-beta, < 2.17.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:42:56.714Z"}, "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters \"before\" and \"after\" and from version 2.1.0-beta to before version 2.17.0 for parameters \"section_id\" and \"user_id\", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0."}], "source": {"advisory": "GHSA-g47q-8j8w-m63q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T20:17:27.621057Z", "id": "CVE-2026-31799", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:17:35.823Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31799", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T20:17:27.621057Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:17:31.625Z"}}], "cna": {"title": "Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters", "source": {"advisory": "GHSA-g47q-8j8w-m63q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Tautulli", "product": "Tautulli", "versions": [{"status": "affected", "version": ">= 2.1.0-beta, < 2.17.0"}]}], "references": [{"url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q", "name": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "name": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters \"before\" and \"after\" and from version 2.1.0-beta to before version 2.17.0 for parameters \"section_id\" and \"user_id\", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:42:56.714Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31799", "state": "PUBLISHED", "dateUpdated": "2026-03-30T20:17:35.823Z", "dateReserved": "2026-03-09T16:33:42.913Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T19:42:56.714Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tautulli:tautulli:*:*:*:*:*:*:*:*", "matchCriteriaId": "0E44FE57-B329-4236-9FBB-277FF2A9FB00", "versionEndExcluding": "2.17.0", "versionStartIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters \"before\" and \"after\" and from version 2.1.0-beta to before version 2.17.0 for parameters \"section_id\" and \"user_id\", the /api/v2?cmd=get_home_stats endpoint passes the section_id, user_id, before, and after query parameters directly into SQL via Python %-string formatting without parameterization. An attacker who holds the Tautulli admin API key can inject arbitrary SQL and exfiltrate any value from the Tautulli SQLite database via boolean-blind inference. This issue has been patched in version 2.17.0."}, {"lang": "es", "value": "Tautulli es una herramienta de monitoreo y seguimiento basada en Python para Plex Media Server. Desde la versi\u00f3n 2.14.2 hasta antes de la versi\u00f3n 2.17.0 para los par\u00e1metros 'before' y 'after', y desde la versi\u00f3n 2.1.0-beta hasta antes de la versi\u00f3n 2.17.0 para los par\u00e1metros 'section_id' y 'user_id', el endpoint /api/v2?cmd=get_home_stats pasa los par\u00e1metros de consulta section_id, user_id, before y after directamente a SQL a trav\u00e9s del formato de cadena % de Python sin parametrizaci\u00f3n. Un atacante que posee la clave API de administrador de Tautulli puede inyectar SQL arbitrario y exfiltrar cualquier valor de la base de datos SQLite de Tautulli mediante inferencia booleana a ciegas. Este problema ha sido parcheado en la versi\u00f3n 2.17.0."}], "id": "CVE-2026-31799", "lastModified": "2026-04-02T16:40:46.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T20:16:21.350", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Tautulli/Tautulli/releases/tag/v2.17.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/Tautulli/Tautulli/security/advisories/GHSA-g47q-8j8w-m63q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.1.0-beta,2.17.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tautulli", "source": "cna", "vendor": "Tautulli"}, "product": "tautulli", "vendor": "tautulli"}], "analysis": {"en": {"generated_at": "2026-04-02T22:06:37.321949+00:00", "value": {"mitigation_remediation": ["Apply the latest Tautulli update (v2.17.0 or newer) to eliminate the injection vector", "If an immediate upgrade is not possible, revoke or limit the administrative API key used for the affected endpoint until the patch can be applied"], "summary": {"action": "Immediate Update", "impact": "SQL Injection allowing data exfiltration from Tautulli's SQLite database"}, "threat_synthesis": {"affected_systems": "Tautulli versions from 2.14.2 up to (but not including) 2.17.0 are affected for the before/after parameters, while versions from 2.1.0\u2011beta up to 2.17.0 are affected for section_id and user_id. Users running any of these builds with the vulnerable API endpoint enabled and an administrator API key are exposed to this flaw.", "description_and_impact": "The vulnerability exists in the /api/v2?cmd=get_home_stats endpoint of Tautulli. Unsanitised query parameters (section_id, user_id, before, after) are inserted directly into SQL statements using Python string formatting, enabling attackers who possess an administrative API key to inject arbitrary SQL. The injection can be leveraged for boolean\u2011blind inference, allowing the attacker to read any value from the Tautulli SQLite database, compromising data confidentiality.", "risk_and_exploitability": "The CVSS base score of 4.9 indicates a moderate impact. The EPSS score is reported as less than 1 percent, suggesting a low probability of exploitation in the wild, and the flaw is not yet listed in the CISA KEV catalog. Exploitation requires the attacker to know or acquire the Tautulli admin API key, then craft a malicious request to the vulnerable endpoint; however, once the patch is applied, the issue is resolved."}}}}, "created": "2026-03-31T20:00:05.043161+00:00", "updated": "2026-04-03T09:38:04.744596+00:00", "vendors": ["tautulli", "tautulli$PRODUCT$tautulli"]}