CVE-2026-28505 in Tautulli
摘要 (英语)
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of the compiled code object. However, co_names only contains names from the outer code object. When a lambda expression is used, it creates a nested code object whose attribute accesses are stored in code.co_consts, NOT in code.co_names. The sandbox never inspects nested code objects. This issue has been patched in version 2.17.0.
负责
GitHub_M
预定
2026-02-27
披露
2026-03-30
条目
| 标识符 | 漏洞 | CWE | 基础 | 临时 | 0day | 今天 | 可利用 | KEV | EPSS | CTI | 对策 | CVE |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 354256 | Tautulli notification_handler.py str_eval 权限提升 | 94 | 4.1 | 3.9 | $0-$5k | 计算 | 未定义 | 0.00000 | 0.00 | 官方修复 | CVE-2026-28505 |