{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33935", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.103Z", "datePublished": "2026-03-27T00:43:49.590Z", "dateUpdated": "2026-03-27T20:02:20.942Z"}, "containers": {"cna": {"title": "MyTube has Unauthenticated Account Lockout via Shared Login Attempt State", "problemTypes": [{"descriptions": [{"cweId": "CWE-307", "lang": "en", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf"}, {"name": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1"}, {"name": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58"}, {"name": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa"}, {"name": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13", "tags": ["x_refsource_MISC"], "url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13"}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"version": "< 1.8.72", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:43:49.590Z"}, "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."}], "source": {"advisory": "GHSA-6w95-qgc4-5jxf", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T20:02:10.135497Z", "id": "CVE-2026-33935", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:02:20.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33935", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T20:02:10.135497Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T20:02:16.543Z"}}], "cna": {"title": "MyTube has Unauthenticated Account Lockout via Shared Login Attempt State", "source": {"advisory": "GHSA-6w95-qgc4-5jxf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "franklioxygen", "product": "MyTube", "versions": [{"status": "affected", "version": "< 1.8.72"}]}], "references": [{"url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf", "name": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1", "name": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58", "name": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa", "name": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13", "name": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:43:49.590Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33935", "state": "PUBLISHED", "dateUpdated": "2026-03-27T20:02:20.942Z", "dateReserved": "2026-03-24T19:50:52.103Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:43:49.590Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:franklioxygen:mytube:*:*:*:*:*:*:*:*", "matchCriteriaId": "AC5F4E04-3433-4AC5-AAB8-2D9398E2E0BC", "versionEndExcluding": "1.8.72", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in `login-attempts.json`. When any endpoint records a failed authentication attempt via `recordFailedAttempt()`, the shared login attempt state is updated, increasing the `failedAttempts` counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls `canAttemptLogin()`. This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability."}, {"lang": "es", "value": "MyTube es un descargador y reproductor autoalojado para varios sitios web de videos. Antes de la versi\u00f3n 1.8.72, un atacante no autenticado puede bloquear las cuentas de administrador y visitante de la autenticaci\u00f3n basada en contrase\u00f1a al desencadenar intentos de inicio de sesi\u00f3n fallidos. La aplicaci\u00f3n expone tres puntos finales de verificaci\u00f3n de contrase\u00f1a, todos los cuales son de acceso p\u00fablico. Los tres puntos finales comparten un \u00fanico estado de intento de inicio de sesi\u00f3n respaldado por archivo almacenado en 'login-attempts.json'. Cuando cualquier punto final registra un intento de autenticaci\u00f3n fallido a trav\u00e9s de 'recordFailedAttempt()', el estado compartido de intento de inicio de sesi\u00f3n se actualiza, aumentando el contador 'failedAttempts' y ajustando las marcas de tiempo y los valores de enfriamiento asociados. Antes de verificar una contrase\u00f1a, cada punto final llama a 'canAttemptLogin()'. Esta funci\u00f3n verifica el archivo JSON compartido para determinar si un per\u00edodo de enfriamiento est\u00e1 activo. Si el enfriamiento no ha expirado, la solicitud es rechazada antes de que la contrase\u00f1a sea validada. Debido a que el contador de intentos fallidos y el temporizador de enfriamiento se comparten globalmente, los intentos de autenticaci\u00f3n fallidos contra cualquier punto final afectan a todos los dem\u00e1s puntos finales. Un atacante puede explotar esto enviando repetidamente solicitudes de autenticaci\u00f3n inv\u00e1lidas a cualquiera de estos puntos finales, incrementando el contador compartido y esperando el per\u00edodo de enfriamiento entre intentos. Al hacerlo, el atacante puede aumentar progresivamente la duraci\u00f3n del bloqueo hasta que alcance las 24 horas, impidiendo efectivamente que los usuarios leg\u00edtimos se autentiquen. Una vez que se alcanza el bloqueo m\u00e1ximo, el atacante puede mantener la denegaci\u00f3n de servicio indefinidamente esperando que expire el enfriamiento y enviando otro intento fallido, lo que desencadena inmediatamente otro bloqueo de 24 horas si no se produjo ning\u00fan inicio de sesi\u00f3n exitoso mientras tanto. La versi\u00f3n 1.8.72 corrige la vulnerabilidad."}], "id": "CVE-2026-33935", "lastModified": "2026-04-01T13:42:53.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:21.647", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/franklioxygen/MyTube/blob/941035909ee3f96a6f80f38acf70cbc3e66b5098/backend/src/services/loginAttemptService.ts#L13"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/franklioxygen/MyTube/commit/4d89b146b16d08f27d8fd3e0a9122b109335deb1"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/franklioxygen/MyTube/commit/752bc7f0ac83df8c881e6b6d5dd6f36bb274ee58"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/franklioxygen/MyTube/commit/dd7b4a611fcc5b25a569f379be9a503eb413b6aa"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/franklioxygen/MyTube/security/advisories/GHSA-6w95-qgc4-5jxf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.72)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MyTube", "source": "cna", "vendor": "franklioxygen"}, "product": "mytube", "vendor": "franklioxygen"}], "analysis": {"en": {"generated_at": "2026-04-02T04:11:43.095570+00:00", "value": {"mitigation_remediation": ["Update MyTube to version 1.8.72 or later, the fixed release provided by the vendor."], "summary": {"action": "Patch Immediately", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in the MyTube application from version 1.8.71 and earlier, as developed by franklioxygen. It affects all deployments of MyTube using the shared login attempt state mechanism, regardless of hosting environment, and can be exploited through any of the three publicly accessible login endpoints.", "description_and_impact": "An unauthenticated attacker can trigger successive failed login attempts against any of the three publicly exposed password verification endpoints in MyTube, causing a globally shared lockout counter to reach its maximum value. The resulting 24\u2011hour lockout blocks all administrator and visitor accounts from using password\u2011based authentication. This leads to a denial of service that can be sustained indefinitely by repeating the attack pattern, without any successful login occurring to reset the lockout.", "risk_and_exploitability": "The issue carries a CVSS score of 7.7, indicating a high severity. The EPSS score is listed as below 1%, suggesting that widespread exploitation is currently unlikely, but the vulnerability is not included in the CISA KEV catalog. Attackers can perform the exploit without authentication by repeatedly sending invalid credentials to any endpoint, which is facilitated by the publicly exposed login routes. Once the lockout is triggered, the denial remains until the cooldown period expires or a successful login resets the counter."}}}}, "created": "2026-03-27T08:31:06.508934+00:00", "updated": "2026-04-02T07:55:49.985308+00:00", "vendors": ["franklioxygen", "franklioxygen$PRODUCT$mytube"]}