{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T00:36:31.489Z", "dateUpdated": "2026-03-27T13:50:13.478Z"}, "containers": {"cna": {"title": "MyTube has an Improper Access Control that Allows Complete Application Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"name": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"name": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.69", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:39:04.151Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}], "source": {"advisory": "GHSA-63cf-662x-crp2", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T13:19:57.306177Z", "id": "CVE-2026-33735", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:50:13.478Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33735", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.561Z", "datePublished": "2026-03-27T00:36:31.489Z", "dateUpdated": "2026-03-27T13:50:13.478Z"}, "containers": {"cna": {"title": "MyTube has an Improper Access Control that Allows Complete Application Takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"name": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"name": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.69", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:39:04.151Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}], "source": {"advisory": "GHSA-63cf-662x-crp2", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33735", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-27T13:19:57.306177Z"}}}], "references": [{"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T13:19:48.727Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the `/api/settings/import-database` endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue."}, {"lang": "es", "value": "MyTube es un descargador y reproductor autoalojado para varios sitios web de videos. Antes de la versi\u00f3n 1.8.69, una omisi\u00f3n de autorizaci\u00f3n en el endpoint `/api/settings/import-database` permite a atacantes con credenciales de bajo privilegio cargar y reemplazar completamente la base de datos SQLite de la aplicaci\u00f3n, lo que lleva a un compromiso total de la aplicaci\u00f3n. La omisi\u00f3n es relevante tambi\u00e9n para otras rutas POST. La versi\u00f3n 1.8.69 corrige el problema."}], "id": "CVE-2026-33735", "lastModified": "2026-03-27T15:16:56.527", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:20.840", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/blob/6ade838a46366174e2c030f856340f3856e03132/backend/src/middleware/roleBasedSettingsMiddleware.ts#L116"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/commit/b7bf9b7960958c6c51f85fe50a2fc041a086c466"}, {"source": "security-advisories@github.com", "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-63cf-662x-crp2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.69)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MyTube", "source": "cna", "vendor": "franklioxygen"}, "product": "mytube", "vendor": "franklioxygen"}], "analysis": {"en": {"generated_at": "2026-03-27T06:23:26.094622+00:00", "value": {"mitigation_remediation": ["Apply the latest MyTube release 1.8.69 or newer to remove the flaw", "If an update is not yet available, configure the web server or application to block or restrict access to the \"/api/settings/import-database\" endpoint for non\u2011admin users", "Actively monitor web\u2011application logs for unexpected POST requests to the import endpoint", "Verify and monitor the integrity of the SQLite database file to detect unauthorized replacements"], "summary": {"action": "Immediate Patch", "impact": "Full application compromise through database replacement"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the MyTube application distributed by franklioxygen. Any deployment running a version prior to 1.8.69 is vulnerable. Version 1.8.69 and later contain a fix that enforces proper role\u2011based access control for the import endpoint and related POST routes.", "description_and_impact": "An improper access control flaw in MyTube allows an attacker with low\u2011privilege credentials to invoke the \"/api/settings/import-database\" endpoint via POST requests. The endpoint accepts an uploaded SQLite database and replaces the existing application database without proper authorization checks. Because the database contains all application data and configuration, the attacker effectively gains complete control of the application, including modifying settings, uploading content, and possibly executing arbitrary code. The weakness is a classic example of forbidden resource injection and privilege escalation (CWE\u2011285 and CWE\u2011639).", "risk_and_exploitability": "The CVSS score of 7.4 indicates high severity, reflecting the possibility of full compromise. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, implying it may be an emerging threat. The attack requires only authenticated access to a low\u2011privilege account and an HTTP POST to the vulnerable endpoint, making it relatively easy to exploit in a compromised or open environment. Immediate remediation is recommended to prevent potential data loss or takeover."}}}}, "created": "2026-03-27T08:31:08.591872+00:00", "updated": "2026-03-27T09:22:30.977019+00:00", "vendors": ["franklioxygen", "franklioxygen$PRODUCT$mytube"]}