Command-Line Downloader Vulnerability in yt-dlp by yt-dlp
CVE-2026-50019

6.1MEDIUM

Key Information:

Vendor: Yt-dlp
Status: Yt-dlp
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-50019?

The yt-dlp command-line audio/video downloader has a vulnerability that may cause sensitive cookie information to be sent to unintended hosts. This occurs when using curl as an external downloader, particularly during HTTP redirects or when the host for download fragments does not match the parent manifest's host. Upon file download, yt-dlp transmits cookies using the --cookie option, but if not sourced from a specific file, the cookie engine remains inactive. Consequently, curl may inadvertently send cookies to unauthorized domains or paths. This issue is addressed in the software update scheduled for June 9, 2026.

Affected Version(s)

yt-dlp >= 2023.09.24, < 2026.06.09

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 2, 2026

CVE-2026-50019 Data

JSON

Yt-dlp

What is CVE-2026-50019?

Affected Version(s)

References

CVSS V3.1

Timeline