Mass Assignment Vulnerability in MyTube Affects Multiple Versions
CVE-2026-24140

2.7LOW

Key Information:

Vendor: Franklioxygen
Status: Mytube
Vendor: CVE Published:; 23 January 2026

🔔 Create Franklioxygen Vulnerability Alert

What is CVE-2026-24140?

MyTube, a self-hosted downloader and player for video websites, is susceptible to a mass assignment vulnerability in its settings management feature. Versions 1.7.78 and earlier do not properly validate input data received in the saveSettings() function, allowing attackers to inject arbitrary key-value pairs. This means that any field sent by an attacker can be directly saved to the database, regardless of whether it is a legitimate setting, potentially compromising the application's integrity and leading to unauthorized changes. This vulnerability has been rectified in version 1.7.79.

Affected Version(s)

MyTube < 1.7.79

References

https://github.com/franklioxygen/MyTube/security/advisori...

x_refsource_CONFIRM

https://github.com/franklioxygen/MyTube/commit/9d737cb373...

x_refsource_MISC

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 23, 2026
Vulnerability Reserved
Jan 21, 2026

CVE-2026-24140 Data

JSON