Back to CVE List

CVE-2026-58447

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score
6.5 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Vulnerability Description

Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-639
Source
NVD
Vendor
iv-org
Product
Invidious

External References

Discussion (0)

Add Comment

No comments yet. Be the first!