Invidious
Monthly
Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.
Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.