v2.17.2-ls233

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.2-ls233/index.html

LinuxServer Changes:

No changes

Remote Changes:

Changelog

v2.17.2 (2026-06-16)

• Notifications:
  • Fix: Line breaks in Gotify notification body text. (#2702)
• Newsletters:
  • Fix: XSS in newsletter cron value. (CVE-2026-49995) (Thanks @elvinsuleymanov)
• UI:
  • Fix: Reflected XSS in search query string. (CVE-2026-45381) (Thanks @JakePeralta7, @sondt99, @kah-ja)
  • Fix: Duplicated activity card progress timers. (#2716) (Thanks @omglazrgunpewpew)
• Other:
  • Fix: Fix X-Api-Key header check crashing server. (#2711)
  • Fix: Path traversal in uploaded database and config file names. (CVE-2026-52835) (Thanks @tonghuaroot)
  • Fix: Empty host fallback in URL when launching browser. (#2722) (Thanks @upmcplanetracker)
  • Fix: Open redirect via whitespace bypass in /auth/redirect (CVE-2026-54915) (Thanks @sondt99)

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.2-universal.pkg
• Tautulli-windows-v2.17.2-x64.exe

v2.17.1-ls233

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.1-ls233/index.html

LinuxServer Changes:

Full Changelog: v2.17.1-ls232...v2.17.1-ls233

Remote Changes:

Changelog

v2.17.1 (2026-05-04)

• Notifications:
  • Fix: Tautulli Remote App notifications failing to send. (#2669)
  • New: Added extra type and preroll to notification parameters.
  • New: Added Simkl URL to notification parameters.
• Newsletters:
  • Fix: Remote code execution via newsletter custom template directory. (CVE-2026-41065) (Thanks @remindsec)
• Exporter:
  • Fix: Export failed when logo / square art keys were included. (#2685)
• UI:
  • Fix: Error when browsing for folder paths. (#2673)
  • New: Added AV1 media flag image. (#2676) (Thanks @little0831)
  • New: Added opus media flag image.
• Other:
  • Fix: Clean empty directories after updating using git. (#2667)
  • Fix: Tautulli failing to reconnect to Plex Media Server until restarted after a connection loss at startup. (#2640)
  • Fix: Path treversal in cache deletion API. (CVE-2026-40605) (Thanks @JakePeralta7)
  • Fix: Websocket not exiting and reconnecting cleanly after changing Plex servers.
  • Fix: Sanitize JS log errors to prevent XSS. (CVE-2026-43984) (Thanks @larlarua)
  • Fix: Do not store image hash for external images. (CVE-2026-43986) (Thanks @larlarua)
  • New: Update Windows and MacOS packages to Python 3.13.
  • New: Update Snap package to core24.
  • New: Using mounted folders for custom newsletter templates and scripts requires manually enabling allow_mounted_folders = 1 in the config file.
  • New: Added anti-CSRF tokens and enforce POST methods to state change endpoints. (CVE-2026-43985) (Thanks @larlarua)
  • New: Hash Tautulli cookie name. All existing login sessions will be invalidated after the update.
  • New: Require X-Api-Key header for login through the /auth/signin endpoint.

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.1-universal.pkg
• Tautulli-windows-v2.17.1-x64.exe

develop-d8d284d7-ls476

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-d8d284d7-ls476/index.html

LinuxServer Changes:

Full Changelog: develop-4be86e8d-ls475...develop-d8d284d7-ls476

Remote Changes:

Add error message to login page for invalid CSRF token

CSRF token becomes invalid when the session expires (default 1 hour) (i.e. sitting on a stale login page)

develop-c7153deb-ls476

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-c7153deb-ls476/index.html

LinuxServer Changes:

No changes

Remote Changes:

v2.17.2

v2.17.1-ls232

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.1-ls232/index.html

LinuxServer Changes:

Full Changelog: v2.17.1-ls231...v2.17.1-ls232

Remote Changes:

Changelog

v2.17.1 (2026-05-04)

• Notifications:
  • Fix: Tautulli Remote App notifications failing to send. (#2669)
  • New: Added extra type and preroll to notification parameters.
  • New: Added Simkl URL to notification parameters.
• Newsletters:
  • Fix: Remote code execution via newsletter custom template directory. (CVE-2026-41065) (Thanks @remindsec)
• Exporter:
  • Fix: Export failed when logo / square art keys were included. (#2685)
• UI:
  • Fix: Error when browsing for folder paths. (#2673)
  • New: Added AV1 media flag image. (#2676) (Thanks @little0831)
  • New: Added opus media flag image.
• Other:
  • Fix: Clean empty directories after updating using git. (#2667)
  • Fix: Tautulli failing to reconnect to Plex Media Server until restarted after a connection loss at startup. (#2640)
  • Fix: Path treversal in cache deletion API. (CVE-2026-40605) (Thanks @JakePeralta7)
  • Fix: Websocket not exiting and reconnecting cleanly after changing Plex servers.
  • Fix: Sanitize JS log errors to prevent XSS. (CVE-2026-43984) (Thanks @larlarua)
  • Fix: Do not store image hash for external images. (CVE-2026-43986) (Thanks @larlarua)
  • New: Update Windows and MacOS packages to Python 3.13.
  • New: Update Snap package to core24.
  • New: Using mounted folders for custom newsletter templates and scripts requires manually enabling allow_mounted_folders = 1 in the config file.
  • New: Added anti-CSRF tokens and enforce POST methods to state change endpoints. (CVE-2026-43985) (Thanks @larlarua)
  • New: Hash Tautulli cookie name. All existing login sessions will be invalidated after the update.
  • New: Require X-Api-Key header for login through the /auth/signin endpoint.

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.1-universal.pkg
• Tautulli-windows-v2.17.1-x64.exe

develop-74bb4767-ls475

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-74bb4767-ls475/index.html

LinuxServer Changes:

No changes

Remote Changes:

Bump urllib3 from 2.6.3 to 2.7.0 (#2701)

• Bump urllib3 from 2.6.3 to 2.7.0

Bumps urllib3 from 2.6.3 to 2.7.0.

• Release notes
• Changelog
• Commits

---

updated-dependencies:

• dependency-name: urllib3
  dependency-version: 2.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  ...

Signed-off-by: dependabot[bot] support@github.com

• Bump urllib3==2.7.0

---

Signed-off-by: dependabot[bot] support@github.com
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: JonnyWong16 9099342+JonnyWong16@users.noreply.github.com

[skip ci]

develop-4be86e8d-ls475

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-4be86e8d-ls475/index.html

LinuxServer Changes:

Full Changelog: develop-aac59a6b-ls474...develop-4be86e8d-ls475

Remote Changes:

Fix duplicate activity progress timers (#2716)

v2.17.1-ls231

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.1-ls231/index.html

LinuxServer Changes:

Full Changelog: v2.17.1-ls230...v2.17.1-ls231

Remote Changes:

Changelog

v2.17.1 (2026-05-04)

• Notifications:
  • Fix: Tautulli Remote App notifications failing to send. (#2669)
  • New: Added extra type and preroll to notification parameters.
  • New: Added Simkl URL to notification parameters.
• Newsletters:
  • Fix: Remote code execution via newsletter custom template directory. (CVE-2026-41065) (Thanks @remindsec)
• Exporter:
  • Fix: Export failed when logo / square art keys were included. (#2685)
• UI:
  • Fix: Error when browsing for folder paths. (#2673)
  • New: Added AV1 media flag image. (#2676) (Thanks @little0831)
  • New: Added opus media flag image.
• Other:
  • Fix: Clean empty directories after updating using git. (#2667)
  • Fix: Tautulli failing to reconnect to Plex Media Server until restarted after a connection loss at startup. (#2640)
  • Fix: Path treversal in cache deletion API. (CVE-2026-40605) (Thanks @JakePeralta7)
  • Fix: Websocket not exiting and reconnecting cleanly after changing Plex servers.
  • Fix: Sanitize JS log errors to prevent XSS. (CVE-2026-43984) (Thanks @larlarua)
  • Fix: Do not store image hash for external images. (CVE-2026-43986) (Thanks @larlarua)
  • New: Update Windows and MacOS packages to Python 3.13.
  • New: Update Snap package to core24.
  • New: Using mounted folders for custom newsletter templates and scripts requires manually enabling allow_mounted_folders = 1 in the config file.
  • New: Added anti-CSRF tokens and enforce POST methods to state change endpoints. (CVE-2026-43985) (Thanks @larlarua)
  • New: Hash Tautulli cookie name. All existing login sessions will be invalidated after the update.
  • New: Require X-Api-Key header for login through the /auth/signin endpoint.

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.1-universal.pkg
• Tautulli-windows-v2.17.1-x64.exe

develop-b75f36e1-ls474

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-b75f36e1-ls474/index.html

LinuxServer Changes:

No changes

Remote Changes:

Merge branch 'fix/newsletter_cron' into nightly

develop-aac59a6b-ls474

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-aac59a6b-ls474/index.html

LinuxServer Changes:

Full Changelog: develop-aac59a6b-ls473...develop-aac59a6b-ls474

Remote Changes:

Use double space for Gotify body newline

Fixes: #2702