CVE-2026-24140 identifies a mass assignment vulnerability in the MyTube application, a self-hosted video downloader and player supporting multiple video websites. Versions 1.7.78 and earlier contain a flaw in the settings management functionality, specifically in the saveSettings() function. This function accepts a Record<string, any> input type representing arbitrary key-value pairs for configuration settings. However, it lacks proper validation to restrict which properties can be modified. The function iterates over all entries using Object.entries() and directly persists every property to the database without filtering or verifying if the property corresponds to a legitimate setting. This improper control over dynamically-determined object attributes (CWE-915) allows an attacker with high privileges to inject unauthorized settings or modify internal application state, potentially leading to integrity violations such as misconfiguration or enabling hidden features. The vulnerability does not affect confidentiality or availability and requires the attacker to have authenticated high-level access to the application. No user interaction is needed. The issue was publicly disclosed on January 23, 2026, and fixed in version 1.7.79. There are no known exploits in the wild, and the CVSS v3.1 base score is 2.7, reflecting low severity due to limited impact and exploitation requirements.

For European organizations using MyTube for self-hosted video downloading and playback, this vulnerability could allow an attacker with high privileges to alter application settings beyond intended parameters. This may lead to unauthorized configuration changes, potentially undermining application integrity and trustworthiness of media content delivery. While confidentiality and availability are not directly impacted, integrity violations could disrupt workflows or introduce subtle misconfigurations that degrade service quality or security posture. Organizations in media, broadcasting, or content distribution sectors relying on MyTube may face operational risks if attackers exploit this flaw to manipulate settings. However, the requirement for high privilege and absence of known exploits limit the immediate threat. Still, failure to patch could expose sensitive environments to targeted attacks or insider threats aiming to subvert application behavior.

European organizations should immediately upgrade MyTube to version 1.7.79 or later, where the vulnerability is fixed by enforcing strict validation of allowed settings properties in the saveSettings() function. Until upgrading, administrators should restrict access to the settings management interface to trusted personnel only, minimizing the risk of high-privilege attackers exploiting the flaw. Implement application-layer input validation to whitelist acceptable configuration keys and reject any unexpected parameters. Conduct thorough audits of existing settings to detect unauthorized modifications. Employ monitoring and alerting on configuration changes to quickly identify suspicious activity. Additionally, enforce strong authentication and access controls to prevent unauthorized high-privilege access. Regularly review and update software dependencies and maintain a patch management process to promptly address future vulnerabilities.