Command Injection Vulnerability in yt-dlp by yt-dlp Maintainers
CVE-2026-26331

8.8HIGH

Key Information:

Vendor

Yt-dlp

Status
Yt-dlp
Vendor
CVE Published:
24 February 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-26331?

The yt-dlp tool, designed for downloading audio and video content, contains a command injection vulnerability that can be triggered via the --netrc-cmd option or the netrc_cmd Python API parameter. If an attacker crafts a malicious URL, it could lead to arbitrary command execution on the user's system. Although the exploitation would require user interaction, the potential risk remains significant, especially for users utilizing these specific command-line options. The maintainers have addressed this issue in version 2026.02.21 by implementing validation checks on netrc 'machine' values and ensuring that unexpected input is flagged as an error. Users advised against using these potentially exploitable features should either upgrade or avoid including a placeholder in their command arguments.

Affected Version(s)

yt-dlp >= 2023.06.21, < 2026.02.21

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-26331
Created by dxlerYT

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375...
x_refsource_MISC
https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability Reserved

.