Description
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.
Published: 2026-01-23
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Settings Modification
Action: Patch
AI Analysis

Impact

A mass assignment vulnerability exists in the settings management function of MyTube, where the application’s saveSettings() method accepts arbitrary key‑value pairs without filtering them against an allowed list. The effect is that any setting sent by an attacker is persisted directly to the database, allowing alteration of application behavior through unauthorized configuration changes. This weakness can lead to unintended functionality or data exposure and is identified as CWE‑915.

Affected Systems

The flaw affects the open‑source video downloader and player MyTube by franklioxygen, specifically all versions before 1.7.78. Version 1.7.78 and later contain a fix for the issue.

Risk and Exploitability

The CVSS score of 2.7 indicates low to moderate severity, and the EPSS score of less than 1% signals a very low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. As the flaw is tied to the settings API, the likely attack vector is via authenticated users submitting arbitrary configuration data, although the exact method is not detailed in the advisory and is inferred from the API design.

Generated by OpenCVE AI on April 18, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MyTube to version 1.7.78 or later, which contains the mass assignment fix.
  • Modify the saveSettings() implementation to validate property keys against an allowed list of settings before writing to the database.
  • Audit existing configuration records for unauthorized settings and remediate any discovered anomalies.

Generated by OpenCVE AI on April 18, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Franklioxygen
Franklioxygen mytube
Vendors & Products Franklioxygen
Franklioxygen mytube

Sat, 24 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Description MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.
Title MyTube has Mass Assignment via Settings Management
Weaknesses CWE-915
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Franklioxygen Mytube
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-26T16:17:58.728Z

Reserved: 2026-01-21T18:38:22.475Z

Link: CVE-2026-24140

cve-icon Vulnrichment

Updated: 2026-01-26T16:14:36.654Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T00:15:49.450

Modified: 2026-02-02T13:26:17.833

Link: CVE-2026-24140

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T20:00:09Z

Weaknesses