Cyber Resilience

CVE-2026-23848

MediumPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
EPSS Score 0.0020 42.3th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23848 is a medium-severity Reliance on Untrusted Inputs in a Security Decision (CWE-807) vulnerability in Franklioxygen Mytube. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs…

more

by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

Rate-limit bypass via header spoofing directly enables application-layer request flooding against API endpoints (Application Exhaustion Flood).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

franklioxygen
mytube
≤ 1.7.71

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-807

Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.

addresses: CWE-807

Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.

addresses: CWE-807

Reduces reliance on untrusted inputs by ensuring only authorized sources may supply data.

References