Submit #801529: alexta69 MeTube 2026.04.09 Permissive Cross-domain Policy with Untrusted Domainsinfo

Titlealexta69 MeTube 2026.04.09 Permissive Cross-domain Policy with Untrusted Domains
DescriptionMeTube unconditionally reflects the Origin header in CORS responses and has no authentication, allowing any malicious website to initiate downloads, delete files, overwrite cookies, and manage subscriptions on a victim's instance via cross-origin requests. I've made a pull request with the fixed code. https://github.com/alexta69/metube/pull/949
Source⚠️ https://github.com/az10b/security-advisories/blob/main/cors_MeTube.md
User
 AliAz (UID 74624)
Submission04/10/2026 03:09 (3 months ago)
Moderation05/01/2026 08:52 (21 days later)
StatusAccepted
VulDB entry360528 [alexta69 MeTube up to 2026.04.09 CORS Policy app/main.py on_prepare cross-domain policy]
Points19

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!