Auth bypass in Franklioxygen Mytube

CVE-2026-24139

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to…

Vulnerability class: Broken Access Control

EPSS: 0.000 (2.1th percentile) — read the EPSS interpretation.

Affected products

Franklioxygen Mytube — versions < 1.7.79

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7 (x_refsource_CONFIRM)
https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280 (x_refsource_MISC)