GHSA-VP22-38M5-R39R PySpector has a Plugin Code Execution Bypass via Incomplete Static Analysis in PluginSecurity.validate_plugin_code

Summary The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in PluginSecurity.validateplugincode is incomplete and can be bypassed using several Python constructs that are not checked. An...

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

CVE-2026-28505

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

EUVD-2026-17184

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the streval function in notificationhandler.py implements a sandboxed eval for notification text templates. The sandbox attempts to restrict callable names by inspecting code.conames of the...

CVE-2026-28505

CVE-2026-28505 affects Tautulli prior to version 2.17.0. The root cause is a flawed sandbox in notification_handler.py: the str_eval() sandbox inspects code.co_names, but nested lambda expressions create code objects whose attributes appear in code.co_consts, allowing bypass of the whitelist. Thi...

Python -- multiple vulnerabilities

Python reports: bpo-42278: Replaced usage of tempfile.mktemp with TemporaryDirectory to avoid a potential race condition. bpo-41180: Add auditing events to the marshal module, and stop raising code.init events for every unmarshalled code object. Directly instantiated code objects will continue to...