Which versions of Mytube are affected by EUVD-2026-16512?

MyTube versions before 1.8.69 contain an authorization bypass that allows authenticated users with low privileges to replace the entire application database, leading to complete compromise of…. A patch is available.

How to fix or mitigate EUVD-2026-16512?

Within 24 hours: Identify all MyTube instances in your environment and document current versions. Within 7 days: Upgrade all MyTube installations to version 1.8.69 or later; verify upgrade completion across all self-hosted instances. Within 30 days: Conduct access log review for the `/api/settings/import-database` endpoint to identify any unauthorized database replacement attempts; validate database integrity and restore from clean backups if compromise is suspected.

Mytube EUVD-2026-16512

Q: What is the CVSS score of EUVD-2026-16512?

EUVD-2026-16512 has a CVSS 4.0 base score of 7.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-33735 HIGH

Improper Authorization (CWE-285)

2026-03-27 GitHub_M

Authentication Bypass Mytube

7.4

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.4 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:12 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.8.69

EUVD ID Assigned

Mar 27, 2026 - 01:15 euvd

EUVD-2026-16512

Analysis Generated

Mar 27, 2026 - 01:15 vuln.today

CVE Published

Mar 27, 2026 - 00:36 nvd

HIGH 7.4

DescriptionGitHub Advisory

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a full compromise of the application. The bypass is relevant for other POST routes as well. Version 1.8.69 fixes the issue.

AnalysisAI

MyTube versions prior to 1.8.69 suffer from an authorization bypass in the /api/settings/import-database endpoint that allows low-privilege authenticated users to upload and replace the application's SQLite database entirely, resulting in complete application compromise. The vulnerability affects self-hosted instances of MyTube and extends to other POST routes using the same flawed authorization mechanism. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate with low-privilege credentials

Delivery

Send POST request to /api/settings/import-database

Exploit

Upload malicious SQLite database

Execution

Replace legitimate database

Impact

Achieve full application compromise