{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6218", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-13T13:29:24.363Z", "datePublished": "2026-04-13T20:30:14.394Z", "dateUpdated": "2026-04-14T13:05:33.179Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T20:30:14.394Z"}, "title": "aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-79", "lang": "en", "description": "Cross Site Scripting"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-94", "lang": "en", "description": "Code Injection"}]}], "affected": [{"vendor": "aandrew-me", "product": "ytDownloader", "versions": [{"version": "3.20.0", "status": "affected"}, {"version": "3.20.1", "status": "affected"}, {"version": "3.20.2", "status": "affected"}], "modules": ["Error Details Panel"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-13T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-13T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-13T15:35:16.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ngocnn97 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/357139", "name": "VDB-357139 | aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357139/cti", "name": "VDB-357139 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785842", "name": "Submit #785842 | Aandrew-me ytDownloader 3.20.2 Remote code execution via DOM XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T13:05:05.445688Z", "id": "CVE-2026-6218", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:05:33.179Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6218", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T13:05:05.445688Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T13:05:13.762Z"}}], "cna": {"title": "aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting", "credits": [{"lang": "en", "type": "reporter", "value": "ngocnn97 (VulDB User)"}, {"lang": "en", "type": "coordinator", "value": "VulDB CNA Team"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 5, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:ND/RC:UR"}}], "affected": [{"vendor": "aandrew-me", "modules": ["Error Details Panel"], "product": "ytDownloader", "versions": [{"status": "affected", "version": "3.20.0"}, {"status": "affected", "version": "3.20.1"}, {"status": "affected", "version": "3.20.2"}]}], "timeline": [{"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-04-13T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-04-13T15:35:16.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/357139", "name": "VDB-357139 | aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357139/cti", "name": "VDB-357139 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785842", "name": "Submit #785842 | Aandrew-me ytDownloader 3.20.2 Remote code execution via DOM XSS", "tags": ["third-party-advisory"]}, {"url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4", "tags": ["exploit"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Cross Site Scripting"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Code Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T20:30:14.394Z"}}}, "cveMetadata": {"cveId": "CVE-2026-6218", "state": "PUBLISHED", "dateUpdated": "2026-04-14T13:05:33.179Z", "dateReserved": "2026-04-13T13:29:24.363Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-04-13T20:30:14.394Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure."}], "id": "CVE-2026-6218", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:32.213", "references": [{"source": "cna@vuldb.com", "url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785842"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357139"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357139/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.20.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.20.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.20.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ytDownloader", "source": "cna", "vendor": "aandrew-me"}, "product": "ytdownloader", "vendor": "aandrew-me"}], "analysis": {"en": {"generated_at": "2026-04-13T21:33:36.084692+00:00", "value": {"mitigation_remediation": ["Verify whether a patched version of ytDownloader that eliminates the XSS in the Error Details Panel has been released; if so, upgrade to that version immediately.", "If no patch is available, disable the Error Details Panel from being displayed to end users, or apply output sanitization to all content fed to createTextNode so that user\u2011controlled data cannot be rendered as executable script.", "Monitor the vendor\u2019s website, GitHub repository, and security advisory feeds for updates or work\u2011arounds that address this issue.", "As an interim measure, configure the web application to prevent any user\u2011controlled input from appearing in error messages or to strip script tags from such output."], "summary": {"action": "Patch", "impact": "Cross Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the aandrew-me ytDownloader product, versions up to and including 3.20.2. The affected component is the Error Details Panel\u2019s createTextNode function, and no later versions are listed as vulnerable.", "description_and_impact": "The issue arises in the createTextNode function within the Error Details Panel of aandrew-me ytDownloader. An attacker can inject arbitrary JavaScript, causing the script to execute in a victim\u2019s browser context. This enables client\u2011side code injection that may be used to steal credentials, hijack sessions, or perform other malicious actions. The description also references a proof\u2011of\u2011concept that escalates to Remote Code Execution, indicating that the initial XSS could be leveraged to gain full control of the affected system. In practice, the vulnerability is triggered by displaying error information that contains unsanitized user input.", "risk_and_exploitability": "The CVSS base score is 5.3, placing the vulnerability in a medium severity tier. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. Attack can be carried out remotely by supplying crafted content that is rendered in the error panel, a common web\u2011application vector. While the CVE notes a potential to reach Remote Code Execution, only cross\u2011site scripting is officially documented. The overall risk is that any user triggering an error that displays the panel can become a victim of client\u2011side code execution, which may be used for further exploitation."}}}}, "created": "2026-04-14T16:18:14.119775+00:00", "updated": "2026-04-14T16:33:21.269016+00:00", "vendors": ["aandrew-me", "aandrew-me$PRODUCT$ytdownloader"]}