CVE-2026-33735

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.8.69

Description MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.8.69, an authorization bypass exists in the /api/settings/import-database API endpoint. This bypass allows attackers with low-privilege credentials to upload and replace the application's SQLite database, resulting in a full compromise of the application. The bypass is also relevant for other POST routes.

Recommendations Versions prior to 1.8.69 should be updated to version 1.8.69 or later.