{"api_version":"1","generated_at":"2026-06-24T18:35:32+00:00","cve":"CVE-2026-40605","urls":{"html":"https://cve.report/CVE-2026-40605","api":"https://cve.report/api/cve/CVE-2026-40605.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-40605","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-40605"},"summary":{"title":"Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API","description":"Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-04 14:16:40","updated_at":"2026-06-04 16:16:36"},"problem_types":["CWE-22","CWE-73","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-73 CWE-73: External Control of File Name or Path"],"metrics":[{"version":"4.0","source":"security-advisories@github.com","type":"Secondary","score":"5.7","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","data":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}},{"version":"4.0","source":"CNA","type":"DECLARED","score":"5.7","severity":"MEDIUM","vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P","data":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.7,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH"}}],"references":[{"url":"https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1","name":"https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr","name":"https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-40605","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40605","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Tautulli","product":"Tautulli","version":"affected < 2.17.1","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"40605","cve":"CVE-2026-40605","epss":"0.000430000","percentile":"0.134820000","score_date":"2026-06-09","updated_at":"2026-06-10 00:13:18"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-40605","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-06-04T15:02:18.536395Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-06-04T15:06:37.640Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"Tautulli","vendor":"Tautulli","versions":[{"status":"affected","version":"< 2.17.1"}]}],"descriptions":[{"lang":"en","value":"Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue."}],"metrics":[{"cvssV4_0":{"attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":5.7,"baseSeverity":"MEDIUM","privilegesRequired":"LOW","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P","version":"4.0","vulnAvailabilityImpact":"LOW","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-22","description":"CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-73","description":"CWE-73: External Control of File Name or Path","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-04T12:50:10.079Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr","tags":["x_refsource_CONFIRM"],"url":"https://github.com/Tautulli/Tautulli/security/advisories/GHSA-fg46-xx7h-mhwr"},{"name":"https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1","tags":["x_refsource_MISC"],"url":"https://github.com/Tautulli/Tautulli/releases/tag/v2.17.1"}],"source":{"advisory":"GHSA-fg46-xx7h-mhwr","discovery":"UNKNOWN"},"title":"Tautulli Vulnerable to Authenticated Path Traversal in Cache Deletion API"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-40605","datePublished":"2026-06-04T12:50:10.079Z","dateReserved":"2026-04-14T14:07:59.642Z","dateUpdated":"2026-06-04T15:06:37.640Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-04 14:16:40","lastModifiedDate":"2026-06-04 16:16:36","problem_types":["CWE-22","CWE-73","CWE-22 CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","CWE-73 CWE-73: External Control of File Name or Path"],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":5.7,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"LOW","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"PROOF_OF_CONCEPT","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"40605","Ordinal":"1","Title":"Tautulli Vulnerable to Authenticated Path Traversal in Cache Del","CVE":"CVE-2026-40605","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"40605","Ordinal":"1","NoteData":"Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.","Type":"Description","Title":"Tautulli Vulnerable to Authenticated Path Traversal in Cache Del"}]}}}