Back to overview

CVE-2026-58447

MEDIUM
6.5
CVSS 3.1
Description
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

Metadata

CVE ID
CVE-2026-58447
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-30 19:09 UTC
Published
2026-06-30 21:05 UTC
Last updated
2026-06-30 21:05 UTC
Primary CWE
CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product
iv-org / Invidious
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
iv-org Invidious 0 ≤ 2.20260626.0, 77ad41678b45c4f6815940123f1796fc51259f45
Weakness (CWE)
CWESourceDescription
CWE-639 cna Authorization Bypass Through User-Controlled Key
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.1 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Back to overview