{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26331", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.810Z", "datePublished": "2026-02-24T02:23:40.858Z", "dateUpdated": "2026-02-24T02:23:40.858Z"}, "containers": {"cna": {"title": "yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"}, {"name": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", "tags": ["x_refsource_MISC"], "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a"}, {"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21"}], "affected": [{"vendor": "yt-dlp", "product": "yt-dlp", "versions": [{"version": ">= 2023.06.21, < 2026.02.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:23:40.858Z"}, "descriptions": [{"lang": "en", "value": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument."}], "source": {"advisory": "GHSA-g3gw-q23r-pgqm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument."}], "id": "CVE-2026-26331", "lastModified": "2026-02-24T03:16:01.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T03:16:01.710", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a"}, {"source": "security-advisories@github.com", "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21"}, {"source": "security-advisories@github.com", "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "yt-dlp: yt-dlp: Arbitrary command injection via maliciously crafted URL when --netrc-cmd is used", "id": "2442143", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442143"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in yt-dlp, a command-line audio/video downloader. When the `--netrc-cmd` command-line option is enabled, a remote attacker can exploit a maliciously crafted URL to achieve arbitrary command injection. This allows the attacker to execute unauthorized commands on the user's system, potentially leading to a complete compromise. This vulnerability primarily affects users who utilize the `--netrc-cmd` feature."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid using the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter. If the `--netrc-cmd` option is essential for your workflow, ensure that a placeholder (`{}`) is not passed in the argument. Disabling this feature may impact workflows that rely on custom netrc command execution."}, "name": "CVE-2026-26331", "public_date": "2026-02-24T02:23:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26331\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26331\nhttps://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a\nhttps://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21\nhttps://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"], "statement": "This is an IMPORTANT arbitrary command injection flaw in yt-dlp. The vulnerability occurs when the `--netrc-cmd` command-line option or `netrc_cmd` Python API parameter is actively used. Systems where this specific feature is not enabled or utilized are not affected by this issue.", "threat_severity": "Important"}