Vulnerability in yt-dlp Command-Line Downloader Exposes User Filesystem
CVE-2026-50023

8.3HIGH

Key Information:

Vendor

Yt-dlp

Status
Yt-dlp
Vendor
CVE Published:
23 June 2026

What is CVE-2026-50023?

A vulnerability in the yt-dlp command-line audio/video downloader allows unauthorized remote access to write arbitrary OS-shortcut files (.desktop, .url, .webloc) to a user's filesystem. This issue stems from improper handling of extensions in the allowlist, specifically including potentially unsafe file types necessary for certain functionalities. Attackers can exploit this vulnerability during media or subtitle downloads, resulting in the creation of malicious shortcuts. Users are strongly advised to update their yt-dlp to version 2026.06.09 or later to mitigate this security risk.

Affected Version(s)

yt-dlp < 2026.06.09

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/yt-dlp/yt-dlp/commit/e578e265f7c6ca94a...
x_refsource_MISC
https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/...
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.