Platform
other
Component
mytube
Fixed in
1.8.73
CVE-2026-33935 is a vulnerability affecting MyTube, a self-hosted downloader and player. An unauthenticated attacker can trigger failed login attempts, leading to administrator and visitor account lockouts. This impacts versions of MyTube prior to 1.8.72. A patch is available in version 1.8.72.
This vulnerability allows an attacker to effectively disable access to MyTube for both administrators and regular users. By repeatedly triggering failed login attempts through publicly accessible password verification endpoints, the attacker can exhaust the allowed number of attempts, resulting in account lockouts. This denial of access can disrupt the functionality of the MyTube instance and prevent legitimate users from accessing its features. The ease of exploitation, combined with the potential for widespread impact, makes this a significant security concern.
This vulnerability was publicly disclosed on 2026-03-27. There are currently no known public proof-of-concept exploits. The vulnerability's simplicity suggests a potential for easy exploitation, but active campaigns have not been reported. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.39% (60% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33935 is to upgrade MyTube to version 1.8.72 or later. If an immediate upgrade is not possible, consider implementing rate limiting on the password verification endpoints to restrict the number of failed login attempts within a given timeframe. This can help prevent attackers from quickly exhausting the login attempt allowance. Additionally, review and strengthen password policies to encourage users to choose strong, unique passwords, reducing the likelihood of successful brute-force attacks. After upgrade, confirm functionality by attempting a login with a previously locked account.
Update MyTube to version 1.8.72 or later. This version fixes the unauthenticated account lockout vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33935 is a vulnerability in MyTube that allows unauthenticated attackers to lock out administrator and visitor accounts by triggering failed login attempts.
You are affected if you are using MyTube version 1.8.72 or earlier. Upgrade to 1.8.72 to mitigate the risk.
Upgrade MyTube to version 1.8.72 or later. As a temporary workaround, implement rate limiting on the password verification endpoints.
There are currently no reports of active exploitation, but the vulnerability's simplicity suggests a potential for exploitation.
Refer to the MyTube project's official website or repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.