CVE-2026-23848

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.7.71

Description MyTube is a self-hosted downloader and player for several video websites. A rate limiting bypass exists due to X-Forwarded-For header spoofing, allowing unauthenticated attackers to circumvent IP-based rate limiting on general API endpoints. Attackers can manipulate the X-Forwarded-For header to spoof client IPs, enabling unlimited requests to protected endpoints, including general API endpoints, potentially leading to a denial-of-service (DoS) condition. The vulnerable API endpoints are susceptible to abuse through the manipulation of the X-Forwarded-For header.

Recommendations Update MyTube to version 1.7.71 or later.