{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T00:36:31.489Z", "dateUpdated": "2026-03-27T13:50:13.478Z"}, "containers": {"cna": {"title": "MyTube has an Improper Access Control that Allows Complete Application Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"name": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"name": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.69", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:39:04.151Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}], "source": {"advisory": "GHSA-63cf-662x-crp2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:19:57.306177Z", "id": "CVE-2026-33735", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:50:13.478Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T00:36:31.489Z", "dateUpdated": "2026-03-27T13:50:13.478Z"}, "containers": {"cna": {"title": "MyTube has an Improper Access Control that Allows Complete Application Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"name": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"name": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.69", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:39:04.151Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}], "source": {"advisory": "GHSA-63cf-662x-crp2", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33735", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:19:57.306177Z"}}}], "references": [{"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:19:48.727Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*", "matchCriteriaId": "3390F15D-159A-4E5F-93E0-DACD518848B8", "versionEndExcluding": "1.8.69", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}, {"lang": "es", "value": "MyTube es un descargador y reproductor autoalojado para varios sitios web de videos. Antes de la versi\u00f3n 1.8.69, una omisi\u00f3n de autorizaci\u00f3n en el endpoint `/api/settings/import-database` permite a atacantes con credenciales de bajo privilegio cargar y reemplazar completamente la base de datos SQLite de la aplicaci\u00f3n, lo que lleva a un compromiso total de la aplicaci\u00f3n. La omisi\u00f3n es relevante tambi\u00e9n para otras rutas POST. La versi\u00f3n 1.8.69 corrige el problema."}], "id": "CVE-2026-33735", "lastModified": "2026-03-31T19:02:38.313", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:20.840", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.69)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MyTube", "source": "cna", "vendor": "franklioxygen"}, "product": "mytube", "vendor": "franklioxygen"}], "analysis": {"en": {"generated_at": "2026-04-01T03:22:11.718904+00:00", "value": {"mitigation_remediation": ["Upgrade MyTube to version 1.8.69 or later to eliminate the authorization bypass."], "summary": {"action": "Immediate Patch", "impact": "Full Application Compromise"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MyTube self\u2011hosted downloader and player. All releases prior to version 1.8.69 are affected by the authorization bypass. Version 1.8.69 and later contain the fix that removes the privilege escalation path.", "description_and_impact": "MyTube contains an improper access control flaw that permits an attacker with low\u2011privilege authentication to upload and replace the entire SQLite database via the /api/settings/import-database endpoint. By doing so, the attacker can modify or delete all stored data, effectively gaining complete control over the application. The weakness manifests as improper authorization and privilege escalation, allowing the attacker to bypass intended restrictions and execute arbitrary operations against the application\u2019s data layer.", "risk_and_exploitability": "The CVSS score of 7.4 indicates a high severity, while the EPSS score of less than 1% suggests a low current likelihood of exploitation. The attacker requires only authenticated, low\u2011privilege access and the ability to send a POST request to the vulnerable endpoint; no special conditions beyond that are described.\n"}}}}, "created": "2026-03-27T08:31:08.591872+00:00", "updated": "2026-04-02T07:55:51.955036+00:00", "vendors": ["franklioxygen", "franklioxygen$PRODUCT$mytube"]}