Skip to main content

Invidious

1 CVEs product

Monthly

CVE-2026-58447 HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Cross-user data tampering in Invidious through 2.20260626.0 lets any authenticated user permanently delete videos from playlists they do not own by submitting an arbitrary global video index to the playlist endpoint's remove_video action. The flaw is a broken object level authorization (BOLA) issue where per-video index values are harvested from the public playlist JSON API and replayed without an ownership check. Publicly available exploit code exists and a vendor fix has been released (commit 77ad416); there is no public exploit identified as being used in active attacks.

Authentication Bypass Invidious
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy