CVE-2026-33735

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33735
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33735.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33735
Aliases
  • GHSA-63cf-662x-crp2
Published
2026-03-27T00:36:31.489Z
Modified
2026-04-10T05:42:54.702092Z
Severity
  • 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MyTube has an Improper Access Control that Allows Complete Application Takeover
Details

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.

Database specific 
{
    "cwe_ids": [
        "CWE-285",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33735.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/franklioxygen/mytube

Affected ranges

Type
GIT
Repo
https://github.com/franklioxygen/mytube
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7fd8055b8ea6ed34ab3636e86f1108a738990972
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.69"
        }
    ]
}

Affected versions

v1.*
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.19
v1.4.0
v1.4.1
v1.4.10
v1.4.11
v1.4.12
v1.4.13
v1.4.14
v1.4.15
v1.4.16
v1.4.17
v1.4.18
v1.4.19
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.4.9
v1.5.0
v1.5.1
v1.5.10
v1.5.11
v1.5.12
v1.5.13
v1.5.14
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.5.6
v1.5.7
v1.5.9
v1.6.0
v1.6.1
v1.6.10
v1.6.11
v1.6.12
v1.6.13
v1.6.14
v1.6.15
v1.6.16
v1.6.17
v1.6.18
v1.6.19
v1.6.2
v1.6.20
v1.6.21
v1.6.22
v1.6.23
v1.6.24
v1.6.25
v1.6.26
v1.6.27
v1.6.28
v1.6.29
v1.6.3
v1.6.30
v1.6.31
v1.6.32
v1.6.33
v1.6.34
v1.6.35
v1.6.36
v1.6.37
v1.6.38
v1.6.39
v1.6.4
v1.6.40
v1.6.41
v1.6.42
v1.6.43
v1.6.44
v1.6.45
v1.6.46
v1.6.47
v1.6.48
v1.6.49
v1.6.5
v1.6.6
v1.6.7
v1.6.8
v1.6.9
v1.7.0
v1.7.1
v1.7.10
v1.7.100
v1.7.101
v1.7.102
v1.7.103
v1.7.104
v1.7.105
v1.7.106
v1.7.107
v1.7.108
v1.7.109
v1.7.11
v1.7.110
v1.7.111
v1.7.112
v1.7.113
v1.7.114
v1.7.115
v1.7.116
v1.7.117
v1.7.12
v1.7.13
v1.7.14
v1.7.15
v1.7.16
v1.7.17
v1.7.18
v1.7.19
v1.7.2
v1.7.20
v1.7.21
v1.7.22
v1.7.23
v1.7.24
v1.7.25
v1.7.26
v1.7.27
v1.7.28
v1.7.29
v1.7.3
v1.7.30
v1.7.31
v1.7.32
v1.7.33
v1.7.34
v1.7.35
v1.7.36
v1.7.37
v1.7.38
v1.7.39
v1.7.4
v1.7.40
v1.7.41
v1.7.42
v1.7.43
v1.7.44
v1.7.45
v1.7.46
v1.7.47
v1.7.48
v1.7.49
v1.7.5
v1.7.50
v1.7.51
v1.7.52
v1.7.53
v1.7.54
v1.7.55
v1.7.56
v1.7.57
v1.7.58
v1.7.59
v1.7.6
v1.7.60
v1.7.61
v1.7.62
v1.7.63
v1.7.64
v1.7.65
v1.7.66
v1.7.67
v1.7.68
v1.7.69
v1.7.7
v1.7.70
v1.7.71
v1.7.72
v1.7.73
v1.7.74
v1.7.75
v1.7.76
v1.7.77
v1.7.78
v1.7.79
v1.7.8
v1.7.80
v1.7.81
v1.7.82
v1.7.83
v1.7.84
v1.7.85
v1.7.86
v1.7.87
v1.7.88
v1.7.89
v1.7.9
v1.7.90
v1.7.91
v1.7.92
v1.7.93
v1.7.94
v1.7.95
v1.7.96
v1.7.97
v1.7.98
v1.7.99
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.14
v1.8.15
v1.8.16
v1.8.17
v1.8.18
v1.8.19
v1.8.2
v1.8.20
v1.8.21
v1.8.22
v1.8.23
v1.8.24
v1.8.25
v1.8.26
v1.8.27
v1.8.28
v1.8.29
v1.8.3
v1.8.30
v1.8.31
v1.8.32
v1.8.33
v1.8.34
v1.8.35
v1.8.36
v1.8.37
v1.8.38
v1.8.39
v1.8.4
v1.8.40
v1.8.41
v1.8.42
v1.8.43
v1.8.44
v1.8.45
v1.8.46
v1.8.47
v1.8.48
v1.8.49
v1.8.5
v1.8.50
v1.8.51
v1.8.52
v1.8.53
v1.8.54
v1.8.55
v1.8.56
v1.8.57
v1.8.58
v1.8.59
v1.8.6
v1.8.60
v1.8.61
v1.8.62
v1.8.63
v1.8.64
v1.8.65
v1.8.66
v1.8.67
v1.8.68
v1.8.7
v1.8.8
v1.8.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33735.json"