CVE-2026-50574
Last modified
CVE-2026-50574 is a critical-severity vulnerability rated 9.6/10 on the CVSS scale. yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. EPSS estimates a 0.40% chance of exploitation in the next 30 days.
Description
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. This vulnerability is fixed in 2026.06.09.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Yt-Dlp Project | Yt-Dlp | < 2026.06.09 |
References
- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-vx4q-3cr2-7cg2Mitigation, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-50574?
How severe is CVE-2026-50574?
How do I fix CVE-2026-50574?
Are you affected by CVE-2026-50574?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST