Description
yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.
Published: 2026-02-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Command Execution in yt-dlp via the "--netrc-cmd" option
Action: Patch
AI Analysis

Impact

A flaw in yt-dlp allows a maliciously crafted URL to trigger command injection when the program processes the "--netrc-cmd" command‑line option (or the equivalent Python API parameter). If an attacker supplies a URL that contains unexpected characters, the downloader will execute those characters as shell commands, giving the attacker full control over the host on which yt‑dlp runs. The vulnerability is classified as CWE‑78, indicating unsafe system call construction. Successful exploitation would compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

All users of yt‑dlp versions from 2023‑06‑21 up to, but not including, 2026‑02‑21 are affected. Versions 2026‑02‑21 and later include a fix that validates netrc machine values and rejects invalid input. The product is the yt‑dlp command‑line audio/video downloader distributed under the yt‑dlp_project vendor.

Risk and Exploitability

The CVSS score of 8.8 marks this a high‑severity bug. The EPSS score is reported as less than 1 %, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. The likely attack path requires a user or script to invoke yt‑dlp with the vulnerable option and a malicious URL; this could occur manually or through a web‑hosted redirect that the downloader follows automatically. Because the input is supplied via a URL, the vulnerability is typically exposed only when the user or application trusts external URLs. In absence of a malicious URL, the system remains safe.

Generated by OpenCVE AI on April 17, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade yt‑dlp to version 2026‑02‑21 or later to apply the official fix.
  • If an update is not available, remove the "--netrc-cmd" option from command lines and configuration files, or refrain from passing any netrc placeholder or custom command proxy.
  • Ensure that network downloads do not include or redirect to suspicious URLs, and audit any scripts that generate URLs for yt‑dlp usage.
  • Verify that no files or scripts on the system contain the vulnerable option or parameters, and monitor for unexpected process executions.

Generated by OpenCVE AI on April 17, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g3gw-q23r-pgqm yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
History

Wed, 25 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Yt-dlp Project
Yt-dlp Project yt-dlp
CPEs cpe:2.3:a:yt-dlp_project:yt-dlp:*:*:*:*:*:*:*:*
Vendors & Products Yt-dlp Project
Yt-dlp Project yt-dlp

Wed, 25 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Yt-dlp
Yt-dlp yt-dlp
Vendors & Products Yt-dlp
Yt-dlp yt-dlp

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.
Title yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Yt-dlp Yt-dlp
Yt-dlp Project Yt-dlp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T20:08:47.720Z

Reserved: 2026-02-13T16:27:51.810Z

Link: CVE-2026-26331

cve-icon Vulnrichment

Updated: 2026-02-24T20:08:37.464Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:01.710

Modified: 2026-02-25T19:32:30.417

Link: CVE-2026-26331

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-24T02:23:40Z

Links: CVE-2026-26331 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses