CVE-2026-24140

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.7.78

Description MyTube is a self-hosted downloader and player for video websites. Versions 1.7.78 and earlier are subject to a Mass Assignment issue in the settings management functionality because of inadequate input validation. The saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function utilizes Record<string, any> as the input type and iterates through all entries using Object.entries() without filtering unauthorized properties. Any field sent by an attacker is directly saved to the database, irrespective of whether it represents a legitimate application setting.

Recommendations Update to version 1.7.78 or later.