CVE-2026-33935

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

CVE-2026-33935

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

CVE-2026-33935

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...

CVE-2026-33935

CVE-2026-33935 (MyTube) : The self-hosted MyTube app allows three publicly accessible password-verification endpoints that share a single file-backed login state (login-attempts.json). When a failed attempt is recorded via recordFailedAttempt(), the global failedAttempts counter and cooldown time...

CVE-2026-33935 MyTube has Unauthenticated Account Lockout via Shared Login Attempt State

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification...