Search Results (2 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-58447 2 Iv-org, Iv Org 2 Invidious, Invidious 2026-07-01 6.5 Medium
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
CVE-2026-57946 1 Iv-org 1 Invidious 2026-07-01 3.7 Low
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.