{"id":"CVE-2026-50574","summary":"yt-dlp: Arbitrary code execution via manifest downloads with aria2c","details":"yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. This vulnerability is fixed in 2026.06.09.","aliases":["GHSA-vx4q-3cr2-7cg2"],"modified":"2026-07-08T08:09:43.361489727Z","published":"2026-06-23T16:09:18.086Z","related":["openSUSE-SU-2026:11019-1","openSUSE-SU-2026:21163-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50574.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-74"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50574.json"},{"type":"ADVISORY","url":"https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-vx4q-3cr2-7cg2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50574"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/yt-dlp/yt-dlp","events":[{"introduced":"0"},{"fixed":"7f7bdc974dc61d941d1a0d51c4e21a0fdb7b2d06"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"extracted_events":[{"introduced":"0"},{"fixed":"2026.06.09"}],"cpe":"cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*"}}],"versions":["2026.03.17","2026.03.13","2026.03.03","2026.02.21","2026.02.04","2026.01.31","2026.01.29","2025.12.08","2025.11.12","2025.10.22","2025.10.14","2025.09.26","2025.09.23","2025.09.05","2025.08.27","2025.08.22","2025.08.20","2025.08.11","2025.07.21","2025.06.30","2025.06.25","2025.06.09","2025.05.22","2025.04.30","2025.03.31","2025.03.27","2025.03.26","2025.03.25","2025.03.21","2025.02.19","2025.01.26","2025.01.15","2025.01.12","2024.12.23","2024.12.13","2024.12.06","2024.12.03","2024.11.18","2024.11.04","2024.10.22","2024.10.07","2024.09.27","2024.08.06","2024.08.01","2024.07.25","2024.07.16","2024.07.09","2024.07.08","2024.07.07","2024.07.02","2024.07.01","2024.05.27","2024.05.26","2024.04.09","2024.03.10","2023.12.30","2023.11.16","2023.11.14","2023.10.13","2023.10.07","2023.09.24","2023.07.06","2023.06.22","2023.06.21","2023.03.04","2023.03.03","2023.02.17","2023.01.06","2023.01.02","2022.11.11","2022.10.04","2022.09.01","2022.08.19","2022.08.14","2022.08.08","2022.07.18","2022.06.29","2022.06.22.1","2022.06.22","2022.05.18","2022.04.08","2022.03.08.1","2022.02.04","2022.02.03","2021.12.27","2021.12.25","2021.12.01","2021.11.10.1","2021.11.10","2021.10.22","2021.10.10","2021.10.09","2021.09.25","2021.09.02","2021.08.10","2021.08.02","2021.07.24","2021.07.21","2021.07.07","2021.06.23","2021.06.09","2021.06.08","2021.06.01","2021.05.11","2021.04.22","2021.04.11","2021.04.03","2021.03.24.1","2021.03.24","2021.03.15","2021.03.07","2021.03.03.2","2021.03.01","2021.02.24","2021.02.19","2021.02.15","2021.02.09","2021.02.04","2021.01.29","2021.01.20","2021.01.16","2021.01.14","2021.01.12","2021.01.10","2021.01.09","2021.01.08","2021.01.07"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50574.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H"}]}