v2.17.0-ls225

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.0-ls225/index.html

LinuxServer Changes:

Full Changelog: v2.17.0-ls224...v2.17.0-ls225

Remote Changes:

Changelog

v2.17.0 (2026-03-27)

• Important Note!
  • Several security vulnerabilities have been identified in Tautulli versions <=2.16.1. Users are strongly encouraged to update to the latest Tautulli version 2.17.x.
• Notes:
  • Support for Python 3.9 has been dropped. The minimum Python version is now 3.10.
• Notifications:
  • Fix: Prevent RCE in notification text evaluation. (CVE-2026-28505) (Thanks @q1uf3ng)
• Newsletters:
  • Fix: Media from other video libraries using the modern Plex agents not showing up on newsletter.
  • Fix: Unauthenticated path traversal in /newsletter/image/images endpoint. (CVE-2026-31831) (Thanks @JakePeralta7)
• Exporter:
  • Fix: Logo images incorrectly exported as jpg instead of png.
  • New: Added ability to export square art images.
  • New: Added ability to export theme music. (#2654)
• Graphs:
  • Fix: History modal not opening when clicking on graphs. (#2652)
• API:
  • Fix: SQL injection in get_home_stats API command. (CVE-2026-31799) (Thanks @mandreko)
  • Fix: Unsanitized JSONP callback parameter. (CVE-2026-32275) (Thanks @mandreko)
  • New: Added rating to get_home_stats API command. (#2655) (Thanks @jma1ice)
  • Removed: get_apikey API command.
• Other:
  • Fix: Validate log path for Plex log files. (#2632)
  • Fix: Add authentication to /pms_image_proxy endpoint. (CVE-2026-31804) (Thanks @mandreko)
  • New: Updated third party donation logos. (#2646) (Thanks @aisgbnok)
  • New: Update Bootstrap CSS to v3.4.1 and decouple overrides (#2662) (Thanks @aisgbnok)
  • New: Update Bootstrap-select to v1.13.18 (#2666) (Thanks @aisgbnok)

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.0-universal.pkg
• Tautulli-windows-v2.17.0-x64.exe

develop-864dc9ff-ls467

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-864dc9ff-ls467/index.html

LinuxServer Changes:

No changes

Remote Changes:

Fix logo and squareArt key export

Fixes #2685

develop-1abe8182-ls467

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-1abe8182-ls467/index.html

LinuxServer Changes:

Full Changelog: develop-43b709b7-ls466...develop-1abe8182-ls467

Remote Changes:

Bump cryptography from 46.0.6 to 46.0.7 (#2678)

Bumps cryptography from 46.0.6 to 46.0.7.

• Changelog
• Commits

---

updated-dependencies:

• dependency-name: cryptography
  dependency-version: 46.0.7
  dependency-type: direct:production
  update-type: version-update:semver-patch
  ...

Signed-off-by: dependabot[bot] [email protected]
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

v2.17.0-ls224

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.0-ls224/index.html

LinuxServer Changes:

Full Changelog: v2.17.0-ls223...v2.17.0-ls224

Remote Changes:

Changelog

v2.17.0 (2026-03-27)

• Important Note!
  • Several security vulnerabilities have been identified in Tautulli versions <=2.16.1. Users are strongly encouraged to update to the latest Tautulli version 2.17.x.
• Notes:
  • Support for Python 3.9 has been dropped. The minimum Python version is now 3.10.
• Notifications:
  • Fix: Prevent RCE in notification text evaluation. (CVE-2026-28505) (Thanks @q1uf3ng)
• Newsletters:
  • Fix: Media from other video libraries using the modern Plex agents not showing up on newsletter.
  • Fix: Unauthenticated path traversal in /newsletter/image/images endpoint. (CVE-2026-31831) (Thanks @JakePeralta7)
• Exporter:
  • Fix: Logo images incorrectly exported as jpg instead of png.
  • New: Added ability to export square art images.
  • New: Added ability to export theme music. (#2654)
• Graphs:
  • Fix: History modal not opening when clicking on graphs. (#2652)
• API:
  • Fix: SQL injection in get_home_stats API command. (CVE-2026-31799) (Thanks @mandreko)
  • Fix: Unsanitized JSONP callback parameter. (CVE-2026-32275) (Thanks @mandreko)
  • New: Added rating to get_home_stats API command. (#2655) (Thanks @jma1ice)
  • Removed: get_apikey API command.
• Other:
  • Fix: Validate log path for Plex log files. (#2632)
  • Fix: Add authentication to /pms_image_proxy endpoint. (CVE-2026-31804) (Thanks @mandreko)
  • New: Updated third party donation logos. (#2646) (Thanks @aisgbnok)
  • New: Update Bootstrap CSS to v3.4.1 and decouple overrides (#2662) (Thanks @aisgbnok)
  • New: Update Bootstrap-select to v1.13.18 (#2666) (Thanks @aisgbnok)

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.0-universal.pkg
• Tautulli-windows-v2.17.0-x64.exe

develop-f5861741-ls466

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-f5861741-ls466/index.html

LinuxServer Changes:

Full Changelog: develop-0ce310ac-ls465...develop-f5861741-ls466

Remote Changes:

add av1.png media flag (#2676)

created av1.png with 42px height to match other flags based off https://aomedia.org/assets/images/aomedia-logo-resources/av1_logo_white.svg found on https://aomedia.org/resources/logo/

develop-43b709b7-ls466

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-43b709b7-ls466/index.html

LinuxServer Changes:

No changes

Remote Changes:

Add opus.png media flag

v2.17.0-ls223

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.0-ls223/index.html

LinuxServer Changes:

Full Changelog: v2.17.0-ls222...v2.17.0-ls223

Remote Changes:

Changelog

v2.17.0 (2026-03-27)

• Important Note!
  • Several security vulnerabilities have been identified in Tautulli versions <=2.16.1. Users are strongly encouraged to update to the latest Tautulli version 2.17.x.
• Notes:
  • Support for Python 3.9 has been dropped. The minimum Python version is now 3.10.
• Notifications:
  • Fix: Prevent RCE in notification text evaluation. (CVE-2026-28505) (Thanks @q1uf3ng)
• Newsletters:
  • Fix: Media from other video libraries using the modern Plex agents not showing up on newsletter.
  • Fix: Unauthenticated path traversal in /newsletter/image/images endpoint. (CVE-2026-31831) (Thanks @JakePeralta7)
• Exporter:
  • Fix: Logo images incorrectly exported as jpg instead of png.
  • New: Added ability to export square art images.
  • New: Added ability to export theme music. (#2654)
• Graphs:
  • Fix: History modal not opening when clicking on graphs. (#2652)
• API:
  • Fix: SQL injection in get_home_stats API command. (CVE-2026-31799) (Thanks @mandreko)
  • Fix: Unsanitized JSONP callback parameter. (CVE-2026-32275) (Thanks @mandreko)
  • New: Added rating to get_home_stats API command. (#2655) (Thanks @jma1ice)
  • Removed: get_apikey API command.
• Other:
  • Fix: Validate log path for Plex log files. (#2632)
  • Fix: Add authentication to /pms_image_proxy endpoint. (CVE-2026-31804) (Thanks @mandreko)
  • New: Updated third party donation logos. (#2646) (Thanks @aisgbnok)
  • New: Update Bootstrap CSS to v3.4.1 and decouple overrides (#2662) (Thanks @aisgbnok)
  • New: Update Bootstrap-select to v1.13.18 (#2666) (Thanks @aisgbnok)

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.0-universal.pkg
• Tautulli-windows-v2.17.0-x64.exe

v2.17.0-ls222

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/v2.17.0-ls222/index.html

LinuxServer Changes:

Full Changelog: v2.16.1-ls221...v2.17.0-ls222

Remote Changes:

Changelog

v2.17.0 (2026-03-27)

• Important Note!
  • Several security vulnerabilities have been identified in Tautulli versions <=2.16.1. Users are strongly encouraged to update to the latest Tautulli version 2.17.x.
• Notifications:
  • Fix: Prevent RCE in notification text evaluation. (CVE-2026-28505) (Thanks @q1uf3ng)
• Newsletters:
  • Fix: Media from other video libraries using the modern Plex agents not showing up on newsletter.
  • Fix: Unauthenticated path traversal in /newsletter/image/images endpoint. (CVE-2026-31831) (Thanks @JakePeralta7)
• Exporter:
  • Fix: Logo images incorrectly exported as jpg instead of png.
  • New: Added ability to export square art images.
  • New: Added ability to export theme music. (#2654)
• Graphs:
  • Fix: History modal not opening when clicking on graphs. (#2652)
• API:
  • Fix: SQL injection in get_home_stats API command. (CVE-2026-31799) (Thanks @mandreko)
  • Fix: Unsanitized JSONP callback parameter. (CVE-2026-32275) (Thanks @mandreko)
  • New: Added rating to get_home_stats API command. (#2655) (Thanks @jma1ice)
  • Removed: get_apikey API command.
• Other:
  • Fix: Validate log path for Plex log files. (#2632)
  • Fix: Add authentication to /pms_image_proxy endpoint. (CVE-2026-31804) (Thanks @mandreko)
  • New: Updated third party donation logos. (#2646) (Thanks @aisgbnok)
  • New: Update Bootstrap CSS to v3.4.1 and decouple overrides (#2662) (Thanks @aisgbnok)
  • New: Update Bootstrap-select to v1.13.18 (#2666) (Thanks @aisgbnok)

🛡 VirusTotal GitHub Action analysis:

• Tautulli-macos-v2.17.0-universal.pkg
• Tautulli-windows-v2.17.0-x64.exe

develop-e4e3b3a9-ls465

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-e4e3b3a9-ls465/index.html

LinuxServer Changes:

Full Changelog: develop-37ff0325-ls464...develop-e4e3b3a9-ls465

Remote Changes:

Decode Tautulli Remote App base64 payload

Fixes ##2669

develop-b7614429-ls465

CI Report:

https://ci-tests.linuxserver.io/linuxserver/tautulli/develop-b7614429-ls465/index.html

LinuxServer Changes:

No changes

Remote Changes:

Check for None response when refreshing token

Fixes #2640