Skip to main content

yt-dlp EUVDEUVD-2026-42368

| CVE-2026-55404 HIGH
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2026-07-08 GitHub_M
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (GitHub_M) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Attacker-controlled remote metadata (AV:N, PR:N) but exploitation needs a non-default option plus the victim opening the shortcut (UI:R); opened shortcut yields full code execution (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

8
Analysis Updated
Jul 13, 2026 - 19:35 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 13, 2026 - 19:34 vuln.today
Analysis Updated
Jul 13, 2026 - 19:34 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 19:07 vuln.today
cvss_changed
CVSS changed
Jul 13, 2026 - 19:07 NVD
7.5 (HIGH) 8.8 (HIGH)
Patch available
Jul 08, 2026 - 21:04 EUVD
Analysis Generated
Jul 08, 2026 - 20:36 vuln.today
CVE Published
Jul 08, 2026 - 19:36 cve.org
HIGH 7.5

DescriptionNVD

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.

AnalysisAI

Command injection in yt-dlp and youtube-dl before 2026.7.4 lets a malicious video/webpage host smuggle attacker-controlled data into shortcut files generated by the --write-link, --write-url-link, and --write-desktop-link options. Because webpage_url and filename metadata are written to .url/.desktop files without validation or escaping, an attacker can inject a file:// URI on Windows or a newline-based Desktop Entry key on Linux that runs commands when the victim later opens the generated shortcut. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious page with crafted URL/title metadata
Delivery
Victim downloads with --write-desktop-link/--write-url-link
Exploit
Poisoned shortcut written without escaping
Execution
Victim opens .url/.desktop shortcut
Impact
Injected file:// URI or Exec key runs commands

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim run yt-dlp/youtube-dl (before 2026.7.4) with one of the shortcut-writing options explicitly enabled - --write-link, --write-url-link, or --write-desktop-link - against a source whose webpage_url or filename metadata the attacker controls; these options are NOT enabled by default, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the raw 8.8 CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a video or webpage whose title/URL metadata embeds a file:// URI (Windows) or an extra newline-delimited Desktop Entry key with an Exec-style payload (Linux). A victim downloads it with yt-dlp using --write-url-link or --write-desktop-link, producing a poisoned shortcut in their download folder; when the victim double-clicks that shortcut, the injected command or file reference executes in their context. …
Remediation Vendor-released patch: upgrade to yt-dlp 2026.7.4 or later (release https://github.com/yt-dlp/yt-dlp/releases/tag/2026.07.04; fix commit https://github.com/yt-dlp/yt-dlp/commit/b6590aaa1e3808155d69c9a79a797ae484163789), which validates the URL scheme (only http/https allowed) and escapes Desktop Entry localestrings. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all deployments of yt-dlp and youtube-dl in your environment, specifically identifying instances using the --write-link, --write-url-link, or --write-desktop-link options. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy