Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attacker-controlled remote metadata (AV:N, PR:N) but exploitation needs a non-default option plus the victim opening the shortcut (UI:R); opened shortcut yields full code execution (C/I/A:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
8DescriptionNVD
yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.
AnalysisAI
Command injection in yt-dlp and youtube-dl before 2026.7.4 lets a malicious video/webpage host smuggle attacker-controlled data into shortcut files generated by the --write-link, --write-url-link, and --write-desktop-link options. Because webpage_url and filename metadata are written to .url/.desktop files without validation or escaping, an attacker can inject a file:// URI on Windows or a newline-based Desktop Entry key on Linux that runs commands when the victim later opens the generated shortcut. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the victim run yt-dlp/youtube-dl (before 2026.7.4) with one of the shortcut-writing options explicitly enabled - --write-link, --write-url-link, or --write-desktop-link - against a source whose webpage_url or filename metadata the attacker controls; these options are NOT enabled by default, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should temper the raw 8.8 CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a video or webpage whose title/URL metadata embeds a file:// URI (Windows) or an extra newline-delimited Desktop Entry key with an Exec-style payload (Linux). A victim downloads it with yt-dlp using --write-url-link or --write-desktop-link, producing a poisoned shortcut in their download folder; when the victim double-clicks that shortcut, the injected command or file reference executes in their context. … |
| Remediation | Vendor-released patch: upgrade to yt-dlp 2026.7.4 or later (release https://github.com/yt-dlp/yt-dlp/releases/tag/2026.07.04; fix commit https://github.com/yt-dlp/yt-dlp/commit/b6590aaa1e3808155d69c9a79a797ae484163789), which validates the URL scheme (only http/https allowed) and escapes Desktop Entry localestrings. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, inventory all deployments of yt-dlp and youtube-dl in your environment, specifically identifying instances using the --write-link, --write-url-link, or --write-desktop-link options. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Command injection via Windows CreateProcess argument parsing affects multiple language runtimes and tooling (Node.js, PH
yt-dlp is a command-line audio/video downloader. [CVSS 8.8 HIGH]
yt-dlp is a youtube-dl fork with additional features and fixes. Rated high severity (CVSS 7.8), this vulnerability is no
yt-dlp is a command-line program to download videos from video sites. Rated high severity (CVSS 8.2), this vulnerability
yt-dlp is a youtube-dl fork with additional features and fixes. Rated low severity (CVSS 3.7), this vulnerability is rem
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42368