Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
7 vulnerabilities by franklioxygen
CVE-2026-33935 (GCVE-0-2026-33935)
Vulnerability from cvelistv5 – Published: 2026-03-27 00:43 – Updated: 2026-03-27 20:02
VLAI?
Title
MyTube has Unauthenticated Account Lockout via Shared Login Attempt State
Summary
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.
Severity ?
CWE
- CWE-307 - Improper Restriction of Excessive Authentication Attempts
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.8.72
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33935",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T20:02:10.135497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T20:02:20.942Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.72"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-307",
"description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T00:43:49.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa"
},
{
"name": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13"
}
],
"source": {
"advisory": "GHSA-6w95-qgc4-5jxf",
"discovery": "UNKNOWN"
},
"title": "MyTube has Unauthenticated Account Lockout via Shared Login Attempt State"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33935",
"datePublished": "2026-03-27T00:43:49.590Z",
"dateReserved": "2026-03-24T19:50:52.103Z",
"dateUpdated": "2026-03-27T20:02:20.942Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33890 (GCVE-0-2026-33890)
Vulnerability from cvelistv5 – Published: 2026-03-27 00:38 – Updated: 2026-03-27 13:49
VLAI?
Title
MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration
Summary
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.8.71
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33890",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:19:11.267423Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:49:59.015Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.71"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authenticated passkey is automatically granted an administrator token, allowing full administrative access to the application. This enables a complete compromise of the application without requiring any existing credentials. Version 1.8.71 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T00:38:50.089Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-378w-xh68-qrc8"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/d6c1275a7ff7ffd3d51b53c333237f4d572580ac"
}
],
"source": {
"advisory": "GHSA-378w-xh68-qrc8",
"discovery": "UNKNOWN"
},
"title": "MyTube has an Unauthenticated Admin Privilege Escalation via Passkey Registration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33890",
"datePublished": "2026-03-27T00:38:50.089Z",
"dateReserved": "2026-03-24T15:10:05.682Z",
"dateUpdated": "2026-03-27T13:49:59.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33735 (GCVE-0-2026-33735)
Vulnerability from cvelistv5 – Published: 2026-03-27 00:36 – Updated: 2026-03-27 13:50
VLAI?
Title
MyTube has an Improper Access Control that Allows Complete Application Takeover
Summary
MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.
Severity ?
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.8.69
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33735",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T13:19:57.306177Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T13:50:13.478Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.69"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application\u0027s SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T00:39:04.151Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"
},
{
"name": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"
}
],
"source": {
"advisory": "GHSA-63cf-662x-crp2",
"discovery": "UNKNOWN"
},
"title": "MyTube has an Improper Access Control that Allows Complete Application Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33735",
"datePublished": "2026-03-27T00:36:31.489Z",
"dateReserved": "2026-03-23T17:34:57.561Z",
"dateUpdated": "2026-03-27T13:50:13.478Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24140 (GCVE-0-2026-24140)
Vulnerability from cvelistv5 – Published: 2026-01-23 23:59 – Updated: 2026-01-26 16:17
VLAI?
Title
MyTube has Mass Assignment via Settings Management
Summary
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.
Severity ?
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.7.79
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24140",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T16:14:35.666469Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:17:58.728Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.79"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application\u0027s saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record\u003cstring, any\u003e as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T23:59:56.045Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6"
}
],
"source": {
"advisory": "GHSA-c938-x24g-fxcx",
"discovery": "UNKNOWN"
},
"title": "MyTube has Mass Assignment via Settings Management"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24140",
"datePublished": "2026-01-23T23:59:56.045Z",
"dateReserved": "2026-01-21T18:38:22.475Z",
"dateUpdated": "2026-01-26T16:17:58.728Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24139 (GCVE-0-2026-24139)
Vulnerability from cvelistv5 – Published: 2026-01-23 23:55 – Updated: 2026-01-26 16:18
VLAI?
Title
MyTube Allows Unauthorized Database Export by Guest Users
Summary
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.7.79
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T16:15:53.846287Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:18:05.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.79"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862: Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-23T23:55:23.541Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280"
}
],
"source": {
"advisory": "GHSA-hhc3-8q8c-89q7",
"discovery": "UNKNOWN"
},
"title": "MyTube Allows Unauthorized Database Export by Guest Users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24139",
"datePublished": "2026-01-23T23:55:23.541Z",
"dateReserved": "2026-01-21T18:38:22.475Z",
"dateUpdated": "2026-01-26T16:18:05.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23848 (GCVE-0-2026-23848)
Vulnerability from cvelistv5 – Published: 2026-01-19 20:34 – Updated: 2026-01-20 20:04
VLAI?
Title
MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing
Summary
MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue.
Severity ?
6.5 (Medium)
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.7.71
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23848",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:03:55.791149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:04:56.547Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.71"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T20:34:40.060Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b"
}
],
"source": {
"advisory": "GHSA-59gr-529g-x45h",
"discovery": "UNKNOWN"
},
"title": "MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23848",
"datePublished": "2026-01-19T20:34:40.060Z",
"dateReserved": "2026-01-16T15:46:40.843Z",
"dateUpdated": "2026-01-20T20:04:56.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23837 (GCVE-0-2026-23837)
Vulnerability from cvelistv5 – Published: 2026-01-19 20:09 – Updated: 2026-01-20 17:24
VLAI?
Title
MyTube has an Authorization Bypass vulnerability
Summary
MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next().
Severity ?
9.8 (Critical)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| franklioxygen | MyTube |
Affected:
< 1.7.66
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T17:23:30.927442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T17:24:06.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MyTube",
"vendor": "franklioxygen",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.66"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next()."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T20:09:37.223Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664"
},
{
"name": "https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e"
}
],
"source": {
"advisory": "GHSA-cmvj-g69f-8664",
"discovery": "UNKNOWN"
},
"title": "MyTube has an Authorization Bypass vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-23837",
"datePublished": "2026-01-19T20:09:37.223Z",
"dateReserved": "2026-01-16T15:46:40.842Z",
"dateUpdated": "2026-01-20T17:24:06.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}