CVE-2026-23848

MEDIUM

MyTube < 1.7.71 - Unauthenticated Rate Limit Bypass via X-Forwarded-For Header Spoofing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-23848. PoCs published by p1ngul1n0.

AI-analyzed exploit summary The repository provides a detailed technical analysis of CVE-2026-23848, a rate-limiting bypass vulnerability via X-Forwarded-For header spoofing. It includes a proof-of-concept curl command demonstrating the exploit, along with references to advisory and CVE records.

Description

MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue.

Exploits (1)

github WRITEUP 1 stars

by p1ngul1n0 · poc

https://github.com/p1ngul1n0/security-research/tree/main/CVE-2026-23848.md

View Code ZIP pw:eip

The repository provides a detailed technical analysis of CVE-2026-23848, a rate-limiting bypass vulnerability via X-Forwarded-For header spoofing. It includes a proof-of-concept curl command demonstrating the exploit, along with references to advisory and CVE records.

Classification

Writeup 90%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: MyTube (version not specified)

No auth needed

Prerequisites: Access to the target API endpoint · Ability to send HTTP requests with custom headers

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h

Patch x_refsource_misc

https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b

Scores

CVSS v3 6.5

EPSS 0.0032

EPSS Percentile 23.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-807

Status published

Products (1)

franklioxygen/mytube < 1.7.71

Published Jan 19, 2026

Tracked Since Feb 18, 2026