CVE-2026-57946

LOW

Invidious - Private Playlist Disclosure via Unauthenticated RSS Feed Endpoint

Title source: cna
STIX 2.1

Description

Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.

Scores

CVSS v3 3.7
EPSS 0.0027
EPSS Percentile 19.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
iv-org/Invidious < 2.20260626.0
Published Jun 29, 2026
Tracked Since Jun 29, 2026