{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23848", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.843Z", "datePublished": "2026-01-19T20:34:40.060Z", "dateUpdated": "2026-01-20T20:04:56.547Z"}, "containers": {"cna": {"title": "MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing", "problemTypes": [{"descriptions": [{"cweId": "CWE-807", "lang": "en", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h"}, {"name": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.7.71", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:34:40.060Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue."}], "source": {"advisory": "GHSA-59gr-529g-x45h", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T20:03:55.791149Z", "id": "CVE-2026-23848", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:04:56.547Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23848", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-20T20:03:55.791149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:03:56.970Z"}}], "cna": {"title": "MyTube has Rate Limiting Bypass via X-Forwarded-For Header Spoofing", "source": {"advisory": "GHSA-59gr-529g-x45h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"status": "affected", "version": "< 1.7.71"}]}], "references": [{"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h", "name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b", "name": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-807", "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T20:34:40.060Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23848", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:04:56.547Z", "dateReserved": "2026-01-16T15:46:40.843Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T20:34:40.060Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F1B06A3-6E3D-40FA-87EF-05C2805BEE55", "versionEndExcluding": "1.7.71", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue."}], "id": "CVE-2026-23848", "lastModified": "2026-02-02T13:27:34.320", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T21:15:51.433", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-807"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:58:55.502985+00:00", "value": {"mitigation_remediation": ["Upgrade MyTube to version\u202f1.7.71 or later to apply the official patch that removes the unvalidated use of the X\u2011Forwarded\u2011For header in rate\u2011limiting logic.", "If upgrading immediately is not possible, configure the reverse proxy or the application to ignore or strip X\u2011Forwarded\u2011For headers so that the server uses only the true source IP for rate limiting.", "As a longer\u2011term measure, enforce stricter rate\u2011limiting rules that do not rely on a single header, and audit the application to ensure all user\u2011supplied headers are properly validated before influencing security controls."], "summary": {"action": "Apply Patch", "impact": "Denial of Service via Rate Limiting Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in all releases of Franklioxygen MyTube up to and including version 1.7.70. Version 1.7.71 and later contain a patch that eliminates the rate\u2011limiting bypass.", "description_and_impact": "MyTube, a self\u2011hosted downloader and player, allows unauthenticated users to craft an X\u2011Forwarded\u2011For header that convinces the application to treat the request as coming from a different IP. The application performs rate limiting solely on the client IP it sees, so by spoofing that header an attacker can send an unlimited number of requests to any rate\u2011limited API endpoint. The result is a denial\u2011of\u2011service scenario, with the ability to exhaust resources or prevent legitimate users from accessing the service.", "risk_and_exploitability": "The CVSS score is 6.5, indicating a medium level of severity. The EPSS score is below 1\u202f%, suggesting a very small probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The attack vector requires only the ability to send HTTP requests with an arbitrary X\u2011Forwarded\u2011For header, so any unauthenticated victim could carry it out through a standard web server."}}}}, "created": "2026-01-20T08:40:39.932074+00:00", "updated": "2026-04-18T05:00:06.042883+00:00", "vendors": ["franklioxygen", "franklioxygen$PRODUCT$mytube"]}