CVE-2026-23848
- Source
- https://cve.org/CVERecord?id=CVE-2026-23848
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23848.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-23848
- Aliases
-
- GHSA-59gr-529g-x45h
- Published
- 2026-01-19T20:34:40.060Z
- Modified
- 2026-02-24T07:43:00.509915Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L CVSS Calculator
- Summary
- MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing
- Details
-
MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via
X-Forwarded-Forheader spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating theX-Forwarded-Forheader, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue. - Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23848.json", "cwe_ids": [ "CWE-807" ], "cna_assigner": "GitHub_M" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23848.json
- https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b
- https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h
- https://nvd.nist.gov/vuln/detail/CVE-2026-23848
Affected packages
Git / github.com/franklioxygen/mytube
Affected ranges
- Type
- GIT
- Repo
- https://github.com/franklioxygen/mytube
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.9
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.9
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.2
v1.6.20
v1.6.21
v1.6.22
v1.6.23
v1.6.24
v1.6.25
v1.6.26
v1.6.27
v1.6.28
v1.6.29
v1.6.3
v1.6.30
v1.6.31
v1.6.32
v1.6.33
v1.6.34
v1.6.35
v1.6.36
v1.6.37
v1.6.38
v1.6.39
v1.6.4
v1.6.40
v1.6.41
v1.6.42
v1.6.43
v1.6.44
v1.6.45
v1.6.46
v1.6.47
v1.6.48
v1.6.49
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.15
v1.7.16
v1.7.17
v1.7.18
v1.7.19
v1.7.2
v1.7.20
v1.7.21
v1.7.22
v1.7.23
v1.7.24
v1.7.25
v1.7.26
v1.7.27
v1.7.28
v1.7.29
v1.7.3
v1.7.30
v1.7.31
v1.7.32
v1.7.33
v1.7.34
v1.7.35
v1.7.36
v1.7.37
v1.7.38
v1.7.39
v1.7.4
v1.7.40
v1.7.41
v1.7.42
v1.7.43
v1.7.44
v1.7.45
v1.7.46
v1.7.47
v1.7.48
v1.7.49
v1.7.5
v1.7.50
v1.7.51
v1.7.52
v1.7.53
v1.7.54
v1.7.55
v1.7.56
v1.7.57
v1.7.58
v1.7.59
v1.7.6
v1.7.60
v1.7.61
v1.7.62
v1.7.63
v1.7.64
v1.7.65
v1.7.66
v1.7.67
v1.7.68
v1.7.69
v1.7.7
v1.7.70
v1.7.8
v1.7.9