{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T00:36:31.489Z", "dateUpdated": "2026-03-27T00:39:04.151Z"}, "containers": {"cna": {"title": "MyTube has an Improper Access Control that Allows Complete Application Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"name": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"name": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.69", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:39:04.151Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}], "source": {"advisory": "GHSA-63cf-662x-crp2", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}], "id": "CVE-2026-33735", "lastModified": "2026-03-27T01:16:20.840", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:20.840", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.69)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MyTube", "source": "cna", "vendor": "franklioxygen"}, "product": "mytube", "vendor": "franklioxygen"}], "analysis": {"en": {"generated_at": "2026-03-27T06:23:26.094622+00:00", "value": {"mitigation_remediation": ["Apply the latest MyTube release 1.8.69 or newer to remove the flaw", "If an update is not yet available, configure the web server or application to block or restrict access to the \"/api/settings/import-database\" endpoint for non\u2011admin users", "Actively monitor web\u2011application logs for unexpected POST requests to the import endpoint", "Verify and monitor the integrity of the SQLite database file to detect unauthorized replacements"], "summary": {"action": "Immediate Patch", "impact": "Full application compromise through database replacement"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MyTube application distributed by franklioxygen. Any deployment running a version prior to 1.8.69 is vulnerable. Version 1.8.69 and later contain a fix that enforces proper role\u2011based access control for the import endpoint and related POST routes.", "description_and_impact": "An improper access control flaw in MyTube allows an attacker with low\u2011privilege credentials to invoke the \"/api/settings/import-database\" endpoint via POST requests. The endpoint accepts an uploaded SQLite database and replaces the existing application database without proper authorization checks. Because the database contains all application data and configuration, the attacker effectively gains complete control of the application, including modifying settings, uploading content, and possibly executing arbitrary code. The weakness is a classic example of forbidden resource injection and privilege escalation (CWE\u2011285 and CWE\u2011639).", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity, reflecting the possibility of full compromise. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, implying it may be an emerging threat. The attack requires only authenticated access to a low\u2011privilege account and an HTTP POST to the vulnerable endpoint, making it relatively easy to exploit in a compromised or open environment. Immediate remediation is recommended to prevent potential data loss or takeover."}}}}, "created": "2026-03-27T08:31:08.591872+00:00", "updated": "2026-03-27T09:22:30.977019+00:00", "vendors": ["franklioxygen", "franklioxygen$PRODUCT$mytube"]}