Arbitrary File Write Vulnerability in yt-dlp Command-Line Tool
CVE-2026-50574

8.3HIGH

Key Information:

Vendor: Yt-dlp
Status: Yt-dlp
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-50574?

The yt-dlp command-line audio/video downloader prior to version 2026.06.09 contains a vulnerability when using aria2c as an external downloader with fragmented manifest formats, such as HLS or DASH streams. This vulnerability allows attackers to exploit insufficiently sanitized input for arbitrary file writes. On Windows systems, this could lead to immediate execution of arbitrary code, while on non-Windows platforms, the execution could occur upon the next usage of yt-dlp. Users are advised to update to the latest version to safeguard against potential attacks.

Affected Version(s)

yt-dlp < 2026.06.09

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 4, 2026

CVE-2026-50574 Data

JSON

Yt-dlp

What is CVE-2026-50574?

Affected Version(s)

References

CVSS V3.1

Timeline