Project Subscriptions
No advisories yet.
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
Wed, 01 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Iv-org
Iv-org invidious |
|
| Vendors & Products |
Iv-org
Iv-org invidious |
Tue, 30 Jun 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own. | |
| Title | Invidious - Cross-User Playlist Video Deletion via Missing Ownership Check | |
| First Time appeared |
Iv Org
Iv Org invidious |
|
| Weaknesses | CWE-639 | |
| CPEs | cpe:2.3:a:iv_org:invidious:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Iv Org
Iv Org invidious |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-01T13:21:45.208Z
Reserved: 2026-06-30T19:09:07.025Z
Link: CVE-2026-58447
Updated: 2026-07-01T13:21:41.576Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-01T13:30:15Z