CVE-2026-24140
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-24

Last updated on: 2026-02-02

Assigner: GitHub, Inc.

Description
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-24
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-24140
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
franklioxygen mytube to 1.7.78 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Mass Assignment issue in the MyTube application's settings management. The saveSettings() function accepts arbitrary key-value pairs without validating if the keys are allowed settings. This means an attacker can send arbitrary fields in a request, and those fields will be saved directly to the database without any checks. This can lead to unauthorized configuration changes or injection of malicious values into the application's settings. [1]

Impact Analysis

An attacker with high privileges can exploit this vulnerability to inject unauthorized configuration entries into the application's settings storage. This could overwrite legitimate settings or insert malicious values, potentially altering the application's behavior. However, the vulnerability has a low severity score (CVSS 2.7) and does not impact confidentiality or availability, only integrity to a limited extent. [1]

Detection Guidance

This vulnerability can be detected by sending a POST request to the application's settings API endpoint with arbitrary properties and observing if they are saved without validation. For example, you can use the following curl command to test for the vulnerability: ``` curl -X POST http://localhost:4173/api/settings \ -H "Content-Type: application/json" \ -d '{ "arbitraryField": "injected" }' ``` If the arbitrary field is accepted and persisted, the system is vulnerable. [1]

Mitigation Strategies

To mitigate this vulnerability, update the application to a version that includes mass assignment protection in the saveSettings function. This involves implementing a whitelist of allowed setting keys and ignoring any unauthorized fields. The fix includes validating input keys against a predefined whitelist before saving them to the database, preventing arbitrary properties from being persisted. If an update is not immediately possible, restrict access to the settings API to trusted users with high privileges to reduce the risk of exploitation. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart