FKIE_CVE-2026-26331

Vulnerability from fkie_nvd - Published: 2026-02-24 03:16 - Updated: 2026-02-25 19:32
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.
References
security-advisories@github.comhttps://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1aPatch
security-advisories@github.comhttps://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21Product, Release Notes
security-advisories@github.comhttps://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqmExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
yt-dlp_project yt-dlp *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "12B9D4B5-A1FA-4317-A911-DF469B09D3D5",
              "versionEndExcluding": "2026.02.21",
              "versionStartIncluding": "2023.06.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp\u0027s `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user\u0027s system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument."
    },
    {
      "lang": "es",
      "value": "yt-dlp es un descargador de audio/v\u00eddeo de l\u00ednea de comandos. A partir de la versi\u00f3n 2023.06.21 y antes de la versi\u00f3n 2026.02.21, cuando se utiliza la opci\u00f3n de l\u00ednea de comandos \u0027--netrc-cmd\u0027 de yt-dlp (o el par\u00e1metro de API de Python \u0027netrc_cmd\u0027), un atacante podr\u00eda lograr una inyecci\u00f3n de comandos arbitraria en el sistema del usuario con una URL creada maliciosamente. Los encargados del mantenimiento de yt-dlp asumen que el impacto de esta vulnerabilidad es alto para cualquiera que use \u0027--netrc-cmd\u0027 en su comando/configuraci\u00f3n o \u0027netrc_cmd\u0027 en sus scripts de Python. Aunque la URL creada maliciosamente en s\u00ed parecer\u00e1 muy sospechosa para muchos usuarios, ser\u00eda trivial explotar encubiertamente esta vulnerabilidad a trav\u00e9s de una redirecci\u00f3n HTTP para una p\u00e1gina web creada maliciosamente con una URL discreta . Los usuarios sin \u0027--netrc-cmd\u0027 en sus argumentos o \u0027netrc_cmd\u0027 en sus scripts no se ven afectados. No se ha encontrado evidencia de que este exploit se est\u00e9 utilizando. La versi\u00f3n 2026.02.21 de yt-dlp soluciona este problema validando todos los valores de \u0027machine\u0027 de netrc y generando un error ante una entrada inesperada. Como soluci\u00f3n alternativa, los usuarios que no puedan actualizarse deben evitar usar la opci\u00f3n de l\u00ednea de comandos \u0027--netrc-cmd\u0027 (o el par\u00e1metro de API de Python \u0027netrc_cmd\u0027), o al menos no deben pasar un marcador de posici\u00f3n (\u0027{}\u0027) en su argumento \u0027--netrc-cmd\u0027."
    }
  ],
  "id": "CVE-2026-26331",
  "lastModified": "2026-02-25T19:32:30.417",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-24T03:16:01.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.