CVE-2026-58447
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk13th percentile — higher than 13% of all known CVEs
Summary
A vulnerability in Invidious through version 2.20260626.0 (fixed in commit 77ad416) allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.
Risk Assessment
The risk involves the permanent deletion of videos from other users' playlists, potentially leading to data loss, service disruption, and loss of user trust.
Recommendation
Immediately update Invidious to a version containing commit 77ad416 or later to eliminate the broken object level authorization vulnerability.
Original NVD description (English source)
Invidious through 2.20260626.0, fixed in commit 77ad416, contains a broken object level authorization vulnerability that allows authenticated attackers to delete videos from other users' playlists by supplying an arbitrary global video index in the remove_video action of the playlist endpoint. Attackers can obtain per-video index values from the public playlist JSON API and submit them to the playlist video deletion endpoint without ownership validation, permanently removing videos from playlists they do not own.

