{"id":"CVE-2026-26331","summary":"yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option","details":"yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.","aliases":["GHSA-g3gw-q23r-pgqm"],"modified":"2026-04-16T04:44:01.062887516Z","published":"2026-02-24T02:23:40.858Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26331.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-78"]},"references":[{"type":"WEB","url":"https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26331.json"},{"type":"ADVISORY","url":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-26331"},{"type":"FIX","url":"https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"d1b21561497b6bbb8ff1202e63f48eb41bd315af"},{"fixed":"e2a9cc7d137c88843e064bc9ea11cdca5cd4c82a"}]}],"versions":["2023.06.21","2023.06.22","2023.07.06","2023.09.24","2023.10.07","2023.10.13","2023.11.14","2023.11.16","2023.12.30","2024.03.10","2024.04.09","2024.05.26","2024.05.27","2024.07.01","2024.07.02","2024.07.07","2024.07.08","2024.07.09","2024.07.16","2024.07.25","2024.08.01","2024.08.06","2024.09.27","2024.10.07","2024.10.22","2024.11.04","2024.11.18","2024.12.03","2024.12.06","2024.12.13","2024.12.23","2025.01.12","2025.01.15","2025.01.26","2025.02.19","2025.03.21","2025.03.25","2025.03.26","2025.03.27","2025.03.31","2025.04.30","2025.05.22","2025.06.09","2025.06.25","2025.06.30","2025.07.21","2025.08.11","2025.08.20","2025.08.22","2025.08.27","2025.09.05","2025.09.23","2025.09.26","2025.10.14","2025.10.22","2025.11.12","2025.12.08","2026.01.29","2026.01.31","2026.02.04"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26331.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}