cbcvebase.

Franklioxygen Mytube vulnerabilities

7 known vulnerabilities affecting franklioxygen/mytube.

Total CVEs
7
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-23837P2CRITICALCVSS 9.8fixed in 1.7.662026-01-19
CVE-2026-23837 [CRITICAL] CWE-863 CVE-2026-23837: MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is inc
nvd
CVE-2026-33890P2CRITICALCVSS 9.8fixed in 1.8.712026-03-27
CVE-2026-33890 [CRITICAL] CWE-284 CVE-2026-33890: MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.71, an unauthenticated attacker can register an arbitrary passkey and subsequently authenticate with it to obtain a full admin session. The application exposes passkey registration endpoints without requiring prior authentication. Any successfully authent
nvd
CVE-2026-33735P3HIGHCVSS 8.8fixed in 1.8.692026-03-27
CVE-2026-33735 [HIGH] CWE-285 CVE-2026-33735: MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is releva
nvd
CVE-2026-33935P3HIGHCVSS 7.5fixed in 1.8.722026-03-27
CVE-2026-33935 [HIGH] CWE-307 CVE-2026-33935: MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All th
nvd
CVE-2026-24139P3MEDIUMCVSS 6.5≤ 1.7.78fixed in 1.7.792026-01-24
CVE-2026-24139 [MEDIUM] CWE-862 CVE-2026-24139: MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sens
nvd
CVE-2026-23848P4MEDIUMCVSS 5.3fixed in 1.7.712026-01-19
CVE-2026-23848 [MEDIUM] CWE-807 CVE-2026-23848: MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited req
nvd
CVE-2026-24140P4MEDIUMCVSS 5.3fixed in 1.7.78fixed in 1.7.792026-01-24
CVE-2026-24140 [MEDIUM] CWE-915 CVE-2026-24140: MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings.
nvd
Franklioxygen Mytube vulnerabilities | cvebase