CVE-2026-24140

LOW

2.7

Description

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.

CVE Details

CVSS v3.1 Score2.7

SeverityLOW

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredHIGH

User InteractionNONE

Published1/24/2026

Last Modified2/2/2026

Sourcenvd

Honeypot Sightings0

Affected Products

franklioxygen:mytube

Weaknesses (CWE)

CWE-915

References

https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6(security-advisories@github.com)

https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx(security-advisories@github.com)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.