{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26331", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-13T16:27:51.810Z", "datePublished": "2026-02-24T02:23:40.858Z", "dateUpdated": "2026-02-24T20:08:47.720Z"}, "containers": {"cna": {"title": "yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"}, {"name": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", "tags": ["x_refsource_MISC"], "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a"}, {"name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21", "tags": ["x_refsource_MISC"], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21"}], "affected": [{"vendor": "yt-dlp", "product": "yt-dlp", "versions": [{"version": ">= 2023.06.21, < 2026.02.21", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:23:40.858Z"}, "descriptions": [{"lang": "en", "value": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument."}], "source": {"advisory": "GHSA-g3gw-q23r-pgqm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T20:08:27.991642Z", "id": "CVE-2026-26331", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:08:47.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26331", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-24T20:08:27.991642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T20:08:37.464Z"}}], "cna": {"title": "yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option", "source": {"advisory": "GHSA-g3gw-q23r-pgqm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "yt-dlp", "product": "yt-dlp", "versions": [{"status": "affected", "version": ">= 2023.06.21, < 2026.02.21"}]}], "references": [{"url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm", "name": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", "name": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21", "name": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:23:40.858Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26331", "state": "PUBLISHED", "dateUpdated": "2026-02-24T20:08:47.720Z", "dateReserved": "2026-02-13T16:27:51.810Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T02:23:40.858Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*", "matchCriteriaId": "12B9D4B5-A1FA-4317-A911-DF469B09D3D5", "versionEndExcluding": "2026.02.21", "versionStartIncluding": "2023.06.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument."}, {"lang": "es", "value": "yt-dlp es un descargador de audio/v\u00eddeo de l\u00ednea de comandos. A partir de la versi\u00f3n 2023.06.21 y antes de la versi\u00f3n 2026.02.21, cuando se utiliza la opci\u00f3n de l\u00ednea de comandos '--netrc-cmd' de yt-dlp (o el par\u00e1metro de API de Python 'netrc_cmd'), un atacante podr\u00eda lograr una inyecci\u00f3n de comandos arbitraria en el sistema del usuario con una URL creada maliciosamente. Los encargados del mantenimiento de yt-dlp asumen que el impacto de esta vulnerabilidad es alto para cualquiera que use '--netrc-cmd' en su comando/configuraci\u00f3n o 'netrc_cmd' en sus scripts de Python. Aunque la URL creada maliciosamente en s\u00ed parecer\u00e1 muy sospechosa para muchos usuarios, ser\u00eda trivial explotar encubiertamente esta vulnerabilidad a trav\u00e9s de una redirecci\u00f3n HTTP para una p\u00e1gina web creada maliciosamente con una URL discreta . Los usuarios sin '--netrc-cmd' en sus argumentos o 'netrc_cmd' en sus scripts no se ven afectados. No se ha encontrado evidencia de que este exploit se est\u00e9 utilizando. La versi\u00f3n 2026.02.21 de yt-dlp soluciona este problema validando todos los valores de 'machine' de netrc y generando un error ante una entrada inesperada. Como soluci\u00f3n alternativa, los usuarios que no puedan actualizarse deben evitar usar la opci\u00f3n de l\u00ednea de comandos '--netrc-cmd' (o el par\u00e1metro de API de Python 'netrc_cmd'), o al menos no deben pasar un marcador de posici\u00f3n ('{}') en su argumento '--netrc-cmd'."}], "id": "CVE-2026-26331", "lastModified": "2026-02-25T19:32:30.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T03:16:01.710", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "yt-dlp: yt-dlp: Arbitrary command injection via maliciously crafted URL when --netrc-cmd is used", "id": "2442143", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442143"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-78", "details": ["A flaw was found in yt-dlp, a command-line audio/video downloader. When the `--netrc-cmd` command-line option is enabled, a remote attacker can exploit a maliciously crafted URL to achieve arbitrary command injection. This allows the attacker to execute unauthorized commands on the user's system, potentially leading to a complete compromise. This vulnerability primarily affects users who utilize the `--netrc-cmd` feature."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, avoid using the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter. If the `--netrc-cmd` option is essential for your workflow, ensure that a placeholder (`{}`) is not passed in the argument. Disabling this feature may impact workflows that rely on custom netrc command execution."}, "name": "CVE-2026-26331", "public_date": "2026-02-24T02:23:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26331\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26331\nhttps://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a\nhttps://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21\nhttps://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm"], "statement": "This is an IMPORTANT arbitrary command injection flaw in yt-dlp. The vulnerability occurs when the `--netrc-cmd` command-line option or `netrc_cmd` Python API parameter is actively used. Systems where this specific feature is not enabled or utilized are not affected by this issue.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2023.06.21,2026.02.21)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "yt-dlp", "source": "cna", "vendor": "yt-dlp"}, "product": "yt-dlp", "vendor": "yt-dlp"}], "analysis": {"en": {"generated_at": "2026-04-17T15:55:05.020066+00:00", "value": {"mitigation_remediation": ["Upgrade yt\u2011dlp to version 2026\u201102\u201121 or later to apply the official fix.", "If an update is not available, remove the \"--netrc-cmd\" option from command lines and configuration files, or refrain from passing any netrc placeholder or custom command proxy.", "Ensure that network downloads do not include or redirect to suspicious URLs, and audit any scripts that generate URLs for yt\u2011dlp usage.", "Verify that no files or scripts on the system contain the vulnerable option or parameters, and monitor for unexpected process executions."], "summary": {"action": "Patch", "impact": "Arbitrary Command Execution in yt-dlp via the \"--netrc-cmd\" option"}, "threat_synthesis": {"affected_systems": "All users of yt\u2011dlp versions from 2023\u201106\u201121 up to, but not including, 2026\u201102\u201121 are affected. Versions 2026\u201102\u201121 and later include a fix that validates netrc machine values and rejects invalid input. The product is the yt\u2011dlp command\u2011line audio/video downloader distributed under the yt\u2011dlp_project vendor.", "description_and_impact": "A flaw in yt-dlp allows a maliciously crafted URL to trigger command injection when the program processes the \"--netrc-cmd\" command\u2011line option (or the equivalent Python API parameter). If an attacker supplies a URL that contains unexpected characters, the downloader will execute those characters as shell commands, giving the attacker full control over the host on which yt\u2011dlp runs. The vulnerability is classified as CWE\u201178, indicating unsafe system call construction. Successful exploitation would compromise confidentiality, integrity, and availability of the affected system.", "risk_and_exploitability": "The CVSS score of 8.8 marks this a high\u2011severity bug. The EPSS score is reported as less than 1\u202f%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack path requires a user or script to invoke yt\u2011dlp with the vulnerable option and a malicious URL; this could occur manually or through a web\u2011hosted redirect that the downloader follows automatically. Because the input is supplied via a URL, the vulnerability is typically exposed only when the user or application trusts external URLs. In absence of a malicious URL, the system remains safe."}}}}, "created": "2026-02-24T09:53:23.808696+00:00", "updated": "2026-04-17T16:00:11.381588+00:00", "vendors": ["yt-dlp", "yt-dlp$PRODUCT$yt-dlp"]}