← Back

CVE-2026-24140

nvd nist
Published: Jan 24, 2026Modified: Feb 2, 2026

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.

Affected (1)

Franklioxygen
1 product
Mytube
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Mytube
Before 1.7.78

Related CWEs

CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

References (2)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitThird Party Advisory

Timeline

No history available yet.