CVE-2026-6218 - Vulnerability Details

- aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting

Description

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.

Published: 2026-04-13

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The issue arises in the createTextNode function within the Error Details Panel of aandrew-me ytDownloader. An attacker can inject arbitrary JavaScript, causing the script to execute in a victim’s browser context. This enables client‑side code injection that may be used to steal credentials, hijack sessions, or perform other malicious actions. The description also references a proof‑of‑concept that escalates to Remote Code Execution, indicating that the initial XSS could be leveraged to gain full control of the affected system. In practice, the vulnerability is triggered by displaying error information that contains unsanitized user input.

Affected Systems

The vulnerability affects the aandrew-me ytDownloader product, versions up to and including 3.20.2. The affected component is the Error Details Panel’s createTextNode function, and no later versions are listed as vulnerable.

Risk and Exploitability

The CVSS base score is 5.3, placing the vulnerability in a medium severity tier. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog. Attack can be carried out remotely by supplying crafted content that is rendered in the error panel, a common web‑application vector. While the CVE notes a potential to reach Remote Code Execution, only cross‑site scripting is officially documented. The overall risk is that any user triggering an error that displays the panel can become a victim of client‑side code execution, which may be used for further exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aandrew-me

ytDownloader

affected

Version	Status	Constraints
`3.20.0`	affected	—
`3.20.1`	affected	—
`3.20.2`	affected	—

No data.

Vendor Product Confidence Versions

Aandrew-me

Ytdownloader

100%

Version	Status	Scheme	Platform
`3.20.0`	affected	semver	—
`3.20.1`	affected	semver	—
`3.20.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Verify whether a patched version of ytDownloader that eliminates the XSS in the Error Details Panel has been released; if so, upgrade to that version immediately.
If no patch is available, disable the Error Details Panel from being displayed to end users, or apply output sanitization to all content fed to createTextNode so that user‑controlled data cannot be rendered as executable script.
Monitor the vendor’s website, GitHub repository, and security advisory feeds for updates or work‑arounds that address this issue.
As an interim measure, configure the web application to prevent any user‑controlled input from appearing in error messages or to strip script tags from such output.

Generated by OpenCVE AI on April 13, 2026 at 21:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4
https://vuldb.com/submit/785842
https://vuldb.com/vuln/357139
https://vuldb.com/vuln/357139/cti

History

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aandrew-me Aandrew-me ytdownloader
Vendors & Products		Aandrew-me Aandrew-me ytdownloader

Tue, 14 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 13 Apr 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.
Title		aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting
Weaknesses		CWE-79 CWE-94
References		https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4 https://vuldb.com/submit/785842 https://vuldb.com/vuln/357139 https://vuldb.com/vuln/357139/cti
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:ND/RC:UR'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Aandrew-me Ytdownloader

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-13T20:30:14.394Z

Updated: 2026-04-14T13:05:33.179Z

Reserved: 2026-04-13T13:29:24.363Z

Link: CVE-2026-6218

Vulnrichment

Updated: 2026-04-14T13:05:13.762Z

NVD

Status : Deferred

Published: 2026-04-13T21:16:32.213

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-6218

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:33:21Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object