Description
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. This vulnerability is fixed in 2026.06.09.
Published: 2026-06-23
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

yt‑dlp, a command‑line audio/video downloader, contains a flaw that permits a remote attacker to write arbitrary OS‑shortcut files (such as .desktop, .url, or .webloc) to the user's filesystem. This bypasses the remediation implemented for CVE‑2024‑38519, because the --write‑link option’s allowlist intentionally includes these unsafe extensions to preserve functionality. As a result, an attacker can craft malicious shortcut files during media or subtitle downloads; if a user opens one, remote code execution can occur.

Affected Systems

The affected product is yt‑dlp, any version released before 2026.06.09. The issue is specifically linked to the command‑line options that download media or subtitles and write shortcut files.

Risk and Exploitability

The CVSS score of 8.3 indicates high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. Local exploitation requires an attacker to craft a download that causes yt‑dlp to create a malicious OS‑shortcut file; if the victim later opens that file, arbitrary code execution can occur. The flaw was mitigated in release 2026.06.09.

Generated by OpenCVE AI on June 24, 2026 at 11:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade yt‑dlp to 2026.06.09 or newer to apply the fixed filename sanitization logic
  • Avoid using the --write-link option or other shortcut‑file options unless absolutely necessary
  • If the shortcut files must be created, verify their contents and store them in a sandboxed location to prevent accidental execution

Generated by OpenCVE AI on June 24, 2026 at 11:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c6mh-fpjc-4pr3 yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
History

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Yt-dlp
Yt-dlp yt-dlp
Vendors & Products Yt-dlp
Yt-dlp yt-dlp

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. This vulnerability is fixed in 2026.06.09.
Title yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
Weaknesses CWE-641
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Yt-dlp Yt-dlp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T16:08:43.003Z

Reserved: 2026-06-02T22:46:02.579Z

Link: CVE-2026-50023

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T11:15:04Z

Weaknesses
  • CWE-641

    Improper Restriction of Names for Files and Other Resources