206 matches found
CVE-2026-55404
A flaw was found in yt-dlp and youtube-dl, command-line tools for downloading audio and video. This vulnerability allows an attacker to inject malicious code into shortcut files .url or .desktop when certain options, such as --write-link, are used. By manipulating the webpageurl or filename...
CVE-2026-55404 yt-dlp: Downstream command injection via improper sanitization of yt-dlp --write-link output
yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpageurl or filename metadata without sufficient validation or escaping,...
CVE-2026-55404
YT-dlp and YouTube-dl before 2026.7.4 expose a vulnerability through --write-link, --write-url-link, and --write-desktop-link that can write .url/.desktop shortcuts using attacker-controlled metadata, enabling file:// URI or desktop entry key injection and potential command execution when opened....
CVE-2026-55404 yt-dlp: Downstream command injection via improper sanitization of yt-dlp --write-link output
yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpageurl or filename metadata without sufficient validation or escaping,...
python313-yt-dlp-2026.07.04-1.1 on GA media (moderate)
python313-yt-dlp-2026.07.04-1.1 on GA media Announcement ID: openSUSE-SU-2026:11196-1 Rating: moderate Cross-References: CVE-2026-55404 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...
MGASA-2026-0234 Updated yt-dlp packages fix security vulnerabilities
CVE-2026-50019 If curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. CVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote attacker to write...
[SECURITY] Fedora 43 Update: yt-dlp-2026.06.09-1.fc43
yt-dlp is a command-line program to download videos from many different online video platforms, such as youtube.com. The project is a fork of youtube-dl with additional features and fixes...
Linux Distros Unpatched Vulnerability : CVE-2026-50023
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary...
Fedora 43 : yt-dlp (2026-03f87de373)
The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-03f87de373 advisory. - Update to 2026.06.09. Fixes rhbz2487407. - Mitigates CVE-2026-50019, CVE-2026-50023, CVE-2026-50574 Tenable has extracted the preceding descriptio...
Linux Distros Unpatched Vulnerability : CVE-2026-50019
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked t...
Linux Distros Unpatched Vulnerability : CVE-2026-50574
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format such as an...
CVE-2026-50574
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On...
DEBIAN-CVE-2026-50023
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitl...
CVE-2026-50019
yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...
UBUNTU-CVE-2026-50574
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format such as an HLS/DASH stream, yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On...
UBUNTU-CVE-2026-50019
yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...
UBUNTU-CVE-2026-50023
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitl...
CVE-2026-50019
yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...
CVE-2026-50019 yt-dlp: File Downloader cookie leak with curl
yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. At the file downloa...
CVE-2026-50019
CVE-2026-50019 affects yt-dlp when curl is used as an external downloader. The root cause is that cookies may be leaked to unintended hosts during HTTP redirects or when download fragments’ host differs from the manifest, because cookies sent via --cookie are not activated unless loaded from a fi...