EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the yt-dlp package, specifically in versions prior to 2026.06.09, which can lead to arbitrary code execution and file writes, posing a significant risk to businesses and individuals, as it may result in unauthorized access and data breaches.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in the yt-dlp package, specifically in versions prior to 2026.06.09, which can lead to arbitrary code execution and file writes, posing a significant risk to businesses and individuals, as it may result in unauthorized access and data breaches.[emaillocker id="1283"]
• CVE-2026-50023 with a CVSS score of 8.3 – This vulnerability allows a remote attacker to write arbitrary OS-shortcut files to the user's filesystem, bypassing the remediation for CVE-2024-38519, which can be exploited to write malicious files, potentially leading to phishing attacks or code execution.
• CVE-2026-50574 with a CVSS score of 8.3 – This vulnerability enables an attacker to perform an arbitrary file write via manifest downloads with aria2c, potentially resulting in immediate arbitrary code execution on Windows platforms or arbitrary code execution upon the next invocation of yt-dlp on non-Windows platforms.
The identified vulnerabilities pose a high risk to businesses, as they can be exploited to gain unauthorized access, execute malicious code, or steal sensitive data, potentially leading to significant financial losses and reputational damage, and it is essential for organizations to take immediate action to mitigate these threats and protect their assets.
RECOMMENDATION:
We recommend you to update yt-dlp to version 2026.06.09.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-c6mh-fpjc-4pr3
https://github.com/advisories/GHSA-vx4q-3cr2-7cg2