Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to permissive cross-domain policy with untrusted domains. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.04.10 is able to mitigate this issue. The identifier of the patch is 0072d3488ae5b8d922d3ee87458d829993742a32. It is recommended to upgrade the affected component.
AnalysisAI
Permissive CORS policy in MeTube up to version 2026.04.09 allows remote attackers to bypass same-origin restrictions by exploiting wildcard origin acceptance (cors_allowed_origins='*') in the on_prepare function of app/main.py, potentially enabling cross-domain data theft or unauthorized API access. The vulnerability requires user interaction (UI:P) but grants information disclosure via cross-domain requests. Publicly available exploit code exists; upgrade to 2026.04.10 fixes the issue by restricting origins to a configurable allowlist.
Technical ContextAI
MeTube is a web-based YouTube downloader using Socket.IO for real-time communication. The vulnerability resides in the CORS (Cross-Origin Resource Sharing) policy configuration within the AsyncServer initialization and the add_cors middleware function. In vulnerable versions, the Socket.IO server was configured with cors_allowed_origins='*', accepting requests from any domain. The add_cors middleware mirrored the request's Origin header directly into the Access-Control-Allow-Origin response header without validation, violating CWE-346 (Origin Validation Error). The patch introduces a configurable CORS_ALLOWED_ORIGINS configuration parameter parsed into a strict allowlist, and the middleware now validates the incoming Origin header against this list before setting the response header. This shifts from implicit-trust-all to explicit-trust-only-configured-origins, a critical pattern for defending against cross-domain attacks targeting sensitive API endpoints.
RemediationAI
Upgrade MeTube immediately to version 2026.04.10 or later; this version enforces a configurable CORS allowlist (CORS_ALLOWED_ORIGINS configuration parameter) replacing the permissive wildcard policy. After upgrading, configure the CORS_ALLOWED_ORIGINS environment variable or config file to explicitly list only trusted origin domains (e.g., 'https://example.com, https://app.example.com'), leaving the value empty or omitting it to default to no cross-origin requests if internal use only. If upgrade is temporarily blocked, disable external network access to the MeTube instance using firewall rules (restrict TCP port access to internal networks only) or reverse proxy authentication. The trade-off of firewall restriction is reduced functionality for remote access; the trade-off of strict CORS configuration is requiring reconfiguration and testing if legitimate cross-domain clients exist. Reference the patch details at https://github.com/alexta69/metube/commit/0072d3488ae5b8d922d3ee87458d829993742a32 and pull request at https://github.com/alexta69/metube/pull/949 for implementation details.
Same weakness CWE-346 – Origin Validation Error
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26501