Home > Vulnerability Database > CVE-2026-24140

Mend.io Vulnerability Database

CVE-2026-24140

Good to know:

Date: January 23, 2026

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.

Severity Score

2.7

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24140

Url: https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx

Url: https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6

Url: https://www.mend.io/vulnerability-database/CVE-2026-24140

Severity Score

2.7

Weakness Type (CWE)

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-915

Top Fix

Upgrade Version

Upgrade to version https://github.com/franklioxygen/MyTube.git - v1.7.79

Learn More

CVSS v3.1

Base Score:	2.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24140

Good to know:

Date: January 23, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?