CVE-2026-33735

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116	Product
https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466	Patch
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2	Exploit Vendor Advisory
https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*

History

31 Mar 2026, 19:02

Type	Values Removed	Values Added
First Time		Franklioxygen Franklioxygen mytube
CPE		cpe:2.3:a:franklioxygen:mytube::::::::
References	~~() https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116 -~~	() https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116 - Product
References	~~() https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466 -~~	() https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466 - Patch
References	~~() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2 -~~	() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2 - Exploit, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

27 Mar 2026, 15:16

Type	Values Removed	Values Added
Summary		(es) MyTube es un descargador y reproductor autoalojado para varios sitios web de videos. Antes de la versión 1.8.69, una omisión de autorización en el endpoint `/api/settings/import-database` permite a atacantes con credenciales de bajo privilegio cargar y reemplazar completamente la base de datos SQLite de la aplicación, lo que lleva a un compromiso total de la aplicación. La omisión es relevante también para otras rutas POST. La versión 1.8.69 corrige el problema.
References	~~() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2 -~~	() https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2 -

27 Mar 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-27 01:16

Updated : 2026-03-31 19:02

NVD link : CVE-2026-33735

Mitre link : CVE-2026-33735

CVE.ORG link : CVE-2026-33735

JSON object : View

Products Affected

franklioxygen

mytube

CWE

CWE-285

Improper Authorization

CWE-639

Authorization Bypass Through User-Controlled Key

8.8 /10