SUSE CVE-2026-26331

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's --netrc-cmd command-line option or netrccmd Python API parameter is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously...

CVE-2026-26331

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's --netrc-cmd command-line option or netrccmd Python API parameter is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously...

yt-dlp 操作系统命令注入漏洞

yt-dlp is a branch of youtube-dl based on the now-deprecated youtube-dlc. Versions of yt-dlp from 2023.06.21 to 2026.02.21 had an operating system command injection vulnerability. This vulnerability occurred when using the --netrc-cmd command-line option, which might allow command injection,...

Command Injection

Overview yt-dlp is an A youtube-dl fork with additional features and patches Affected versions of this package are vulnerable to Command Injection in the --netrc-cmd option and netrccmd API parameter, which invoke subprocess.Popen with shell=True. The GetCourseRuIE, TeachableIE, and...

amusing-app (>=0.2.0 <=0.4.2), arbi-tr-frontend (>=0.1.0 <=0.1.1) +126 more potentially affected by CVE-2026-26331 via yt-dlp (>=2023.6.22 <=2026.1.31)

yt-dlp PYPI version =2023.6.22, =0.2.0, =0.1.0, =2.0.0, =1.1.5, =0.1.7, =1.0.0, =1.0.0, =0.1.0, =2024.3.25, =1.1.1, =0.0.2, =0.1.16, =0.4.3, =0.4.4 and more Source cves: CVE-2026-26331 Source advisory: SNYK:PYTHON-YTDLP-15338139...

EUVD-2023-12460

Malicious code in bioql PyPI...

EUVD-2023-2412

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-22423

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using --exec with %q by...

Remote Code Execution (RCE)

yt-dlp is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper handling of the --exec placeholder on Windows, allowing crafted file paths to execute arbitrary commands...

batata-lib (>=0.1.7 <=0.1.8), boosty-downloader (>=1.0.0 <=3.0.0) +76 more potentially affected by CVE-2025-54072 via yt-dlp (>=2025.10.14 <=2025.6.9)

yt-dlp PYPI version =2025.10.14, =0.1.7, =1.0.0, =0.0.2, =0.1.16, =0.4.3, =0.0.2.2, =0.1.0, =3.2.0, =3.4.2 and more Source cves: CVE-2025-54072 Source advisory: SNYK:PYTHON-YTDLP-10878169...

CVE-2025-54072 yt-dlp allows `--exec` command injection when using placeholder on Windows

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder or , insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the...

PT-2025-30264 · Eslint +1 · @Eslint/Plugin-Kit +1

Name of the Vulnerable Software and Affected Versions: yt-dlp versions 2025.06.25 and below Description: yt-dlp is a command-line audio/video downloader. A flaw exists where, on Windows, using the --exec option with the default placeholder or results in insufficient sanitization of the expanded...

CVE-2019-9701

DLP 15.5 MP1 and all prior versions may be susceptible to a cross-site scripting XSS vulnerability, a type of issue that can enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls...

Linux Distros Unpatched Vulnerability : CVE-2023-35934

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak...

The vulnerability of the yt-dlp download utility lies in its lack of measures to neutralize special elements used in the operating system’s command line, allowing a violator to execute arbitrary code.

The vulnerability of the YouTube-DLP download utility exists due to the lack of measures taken to neutralize specific elements. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

amusing-app (>=0.2.0 <=0.4.2), arbi-tr-frontend (>=0.1.0 <=0.1.1) +57 more potentially affected by unknown CVE via yt-dlp (>=2023.9.24 <=2024.7.25)

yt-dlp PYPI version =2023.9.24, =0.2.0, =0.1.0, =2.0.0, =1.0.0, =0.1.0, =2024.3.25, =1.1.1, =0.0.1.2, =1.0.1.1, =0.3.0, =3.1.1, =0.1.0, =0.1.0, =0.1.1 - khan-dl =1.2.9 and more Source cves: unknown CVE Source advisory: OSV:GHSA-3V33-3WMW-3785...

Path Traversal

yt-dlp is vulnerable to Path Traversal. The vulnerability is due to unrestricted file extensions of downloaded files resulting in arbitrary filenames and path traversal on Windows, which could allows an attacker to execute arbitrary code...

OS Command Injection

yt-dlp is vulnerable to OS Command Injection. This vulnerability is due to insufficient escaping of special characters, specifically in the expansion of output templates within the --exec option...

africanwhisper (=0.2.8), basketcase (>=1.0.5 <=3.1.1) +22 more potentially affected by CVE-2023-46121 via yt-dlp (>=2022.10.4 <=2023.10.7)

yt-dlp PYPI version =2022.10.4, =1.0.5, =0.3.0, =0.1.2, =0.3.1, =0.4.0, =0.7.0, =0.9.42, =0.14.0, =4.0.0, =1.0.5, =2022.12.4, =2023.4.15 and more Source cves: CVE-2023-46121 Source advisory: OSV:GHSA-3CH3-JHC6-5R8X...

africanwhisper (>=0.2.8 <=0.9.0), agentx-tools (>=0.2.0 <=0.7.1) +74 more potentially affected by CVE-2023-40581 +1 more via yt-dlp (>=2021.9.2 <=2023.7.6)

yt-dlp PYPI version =2021.9.2, =0.2.8, =0.2.0, =2023.3.3, =0.1.0, =0.3.0, =0.0.4, =1.4.0, =0.1.0, =1.0.2, =2.0.0a1, =11.7.1, =2.3.10, =3.0.1 and more Source cves: CVE-2023-40581, CVE-2024-22423 Source advisory: OSV:GHSA-42H4-V29R-42QG...