CVE-2026-33935

Name of the Vulnerable Software and Affected Versions MyTube versions prior to 1.8.72

Description MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three publicly accessible password verification API Endpoints that share a single file-backed login attempt state stored in login-attempts.json. Each endpoint uses the recordFailedAttempt() function to update a shared failedAttempts counter and associated timestamps. The canAttemptLogin() function checks this shared state to determine if a cooldown period is active before validating a password. Because the counter and cooldown timer are globally shared, failed attempts against any endpoint affect all others. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, progressively increasing the lockout duration up to 24 hours. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely.

Recommendations Versions prior to 1.8.72 should be updated to version 1.8.72 or later.