cvedb.io
CVE-2026-33935
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-27T01:16:21.647 · Last modified 2026-06-17T10:38:19.770

Summary

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determi

Affected products

franklioxygen — mytube

Does this affect you?

Add your gear to cvedb and we'll alert you only when franklioxygen ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.