CVE-2026-24139
8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| franklioxygen | MyTube | < 1.7.79 | affected |
Weaknesses
- CWE-862: CWE-862: Missing Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7
- https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.