Denial of Service in MyTube Video Downloader and Player
CVE-2026-33935

7.7HIGH

Key Information:

Vendor

Franklioxygen

Status
Mytube
Vendor
CVE Published:
27 March 2026

What is CVE-2026-33935?

MyTube, a self-hosted video downloader and player, suffers from a vulnerability that allows an unauthenticated attacker to lock out administrator and visitor accounts by triggering multiple failed login attempts. The application features three publicly accessible password verification endpoints that share a single login attempt state stored in a JSON file. When an invalid login is attempted, the shared counter for failed attempts is incremented, and a cooldown period is initiated. By exploiting this behavior, an attacker can systematically increase the lockout duration, leading to a denial of service for legitimate users. Once the lockout reaches its maximum duration of 24 hours, the attacker can continue this cycle, preventing users from authenticating for extended periods. This issue is resolved in version 1.8.72.

Affected Version(s)

MyTube < 1.8.72

References

https://github.com/franklioxygen/MyTube/security/advisori...
x_refsource_CONFIRM
https://github.com/franklioxygen/MyTube/commit/4d89b146b1...
x_refsource_MISC
https://github.com/franklioxygen/MyTube/commit/752bc7f0ac...
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.