EXECUTIVE SUMMARY:
An arbitrary command injection flaw exists CVE-2026-26331 in the yt-dlp tool when using a netrc-based command execution option, which could allow an attacker to execute arbitrary commands on the host system if they can induce a user to process a maliciously crafted URL. The issue occurs because yt-dlp dynamically constructs and executes shell commands based on externally influenced input without sufficient sanitization, making it possible to exploit the behavior through specially crafted URLs that abuse wildcard and dynamic hostname matching during extraction. Successful exploitation could lead to a compromise of system integrity, confidentiality, and availability for affected users. Environments that do not rely on this netrc-related command execution mechanism, including the equivalent Python API usage, are not impacted. Mitigation requires upgrading to a patched version that enforces strict validation of netrc machine values and eliminates unsafe shell invocation patterns. The vulnerability has a CVSS score of 8.8.