Unrated severityOSV Advisory· Published Jan 23, 2026· Updated Jan 26, 2026

MyTube Allows Unauthorized Database Export by Guest Users

CVE-2026-24139

Description

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view.

Affected products

Franklioxygen/MytubeOSV
Range: v1.3.15, v1.3.16, v1.3.17, …

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280mitrex_refsource_MISC
github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000