8 matches found
EUVD-2026-40415
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...
CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...
CVE-2026-58447
CVE-2026-58447 (Invidious) : A broken object-level authorization vulnerability affects Invidious up to version 2.20260626.0. An authenticated attacker can delete videos from other users’ playlists by supplying an arbitrary global video index to the remove_video endpoint, using per-video indices e...
CVE-2026-58447 Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the removevideo action of the playlist endpoint...
CVE-2026-57946
CVE-2026-57946 affects Invidious prior to version 2.20260626.0. A broken access control allows unauthenticated attackers to fetch private playlist contents by requesting the RSS feed playlist endpoint with a playlist ID, exposing the full playlist, owner email address, and associated video entrie...
CVE-2026-57946 Invidious - Private Playlist Disclosure via Unauthenticated RSS Feed Endpoint
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...
CVE-2026-57946 Invidious - Private Playlist Disclosure via Unauthenticated RSS Feed Endpoint
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...
EUVD-2026-40163
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain th...