Which versions of Mytube are affected by EUVD-2026-16521?

MyTube versions prior to 1.8.72 contain a critical authentication denial-of-service vulnerability that allows unauthenticated attackers to lock out all users-including administrators-by exploiting a…. A patch is available.

How to fix or mitigate EUVD-2026-16521?

Within 24 hours: identify all MyTube instances in production and document current versions. Within 7 days: apply vendor patch to upgrade all MyTube installations to version 1.8.72 or later, starting with production environments; coordinate rollout with change management. Within 30 days: conduct post-patch validation, review authentication logs for prior exploitation attempts, and implement rate-limiting controls on authentication endpoints if not already present.

Mytube EUVD-2026-16521

Q: What is the CVSS score of EUVD-2026-16521?

EUVD-2026-16521 has a CVSS 4.0 base score of 7.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

| CVE-2026-33935 HIGH

Improper Restriction of Excessive Authentication Attempts (CWE-307)

2026-03-27 GitHub_M

Denial Of Service Mytube

7.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:12 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

1.8.72

EUVD ID Assigned

Mar 27, 2026 - 01:15 euvd

EUVD-2026-16521

Analysis Generated

Mar 27, 2026 - 01:15 vuln.today

CVE Published

Mar 27, 2026 - 00:43 nvd

HIGH 7.7

DescriptionGitHub Advisory

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.72, an unauthenticated attacker can lock out administrator and visitor accounts from password-based authentication by triggering failed login attempts. The application exposes three password verification endpoints, all of which are publicly accessible. All three endpoints share a single file-backed login attempt state stored in login-attempts.json. When any endpoint records a failed authentication attempt via recordFailedAttempt(), the shared login attempt state is updated, increasing the failedAttempts counter and adjusting the associated timestamps and cooldown values. Before verifying a password, each endpoint calls canAttemptLogin(). This function checks the shared JSON file to determine whether a cooldown period is active. If the cooldown has not expired, the request is rejected before the password is validated. Because the failed attempt counter and cooldown timer are globally shared, failed authentication attempts against any endpoint affect all other endpoints. An attacker can exploit this by repeatedly sending invalid authentication requests to any of these endpoints, incrementing the shared counter and waiting for the cooldown period between attempts. By doing so, the attacker can progressively increase the lockout duration until it reaches 24 hours, effectively preventing legitimate users from authenticating. Once the maximum lockout is reached, the attacker can maintain the denial of service indefinitely by waiting for the cooldown to expire and sending another failed attempt, which immediately triggers another 24-hour lockout if no successful login occurred in the meantime. Version 1.8.72 fixes the vulnerability.

AnalysisAI

MyTube prior to version 1.8.72 permits unauthenticated attackers to trigger indefinite account lockouts affecting both administrator and visitor authentication by exploiting a shared, globally-scoped login attempt counter across three publicly accessible password verification endpoints. An attacker can repeatedly send invalid authentication requests to any endpoint, progressively increasing a 24-hour cooldown lockout duration that applies to all endpoints simultaneously, effectively denying legitimate users password-based authentication until the patch is deployed. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP requests to password verification endpoints

Exploit

Trigger failed login attempts repeatedly

Execution

Increment shared login attempt counter

Impact

Lock out all user accounts from authentication