CVE-2026-6219 - Vulnerability Details

- aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

Description

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Published: 2026-04-13

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a local command injection in the Compressor Feature of aandrew-me ytDownloader, achieved by manipulating the child_process.exec call in src/compressor.js. Attackers with local access can supply crafted input that is passed directly to the shell, leading to arbitrary command execution and full compromise of the affected system. This weakness is classified as OS Command Injection (CWE-77) and input validation flaw (CWE-74).

Affected Systems

All installations of aandrew-me ytDownloader up to and including version 3.20.2 are affected; the issue resides in the compressor feature and is present in all releases prior to a patch that must be applied.

Risk and Exploitability

The CVSS score of 4.8 indicates moderate severity. The lack of an EPSS score and absence from the CISA KEV listing suggest that widespread exploitation is not yet documented, but the locally available command injection remains a significant risk for any user who can execute the application. Exploitation requires the attacker to have local user privileges or to compromise the system through another vector that grants local execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

aandrew-me

ytDownloader

affected

Version	Status	Constraints
`3.20.0`	affected	—
`3.20.1`	affected	—
`3.20.2`	affected	—

No data.

Vendor Product Confidence Versions

Aandrew-me

Ytdownloader

100%

Version	Status	Scheme	Platform
`3.20.0`	affected	semver	—
`3.20.1`	affected	semver	—
`3.20.2`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade aandrew-me ytDownloader to a version newer than 3.20.2 when a patch is released.
If no patch is available, restrict local access to the application or disable the Compressor Feature until a successor version is available.
Monitor system logs for unexpected process creation or execution of commands originating from the Compressor Feature.

Generated by OpenCVE AI on April 13, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00299.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1
https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4
https://vuldb.com/submit/785843
https://vuldb.com/submit/785844
https://vuldb.com/vuln/357140
https://vuldb.com/vuln/357140/cti

History

Tue, 14 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Aandrew-me Aandrew-me ytdownloader
Vendors & Products		Aandrew-me Aandrew-me ytdownloader

Mon, 13 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
Title		aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
Weaknesses		CWE-74 CWE-77
References		https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1 https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4 https://vuldb.com/submit/785843 https://vuldb.com/submit/785844 https://vuldb.com/vuln/357140 https://vuldb.com/vuln/357140/cti
Metrics		cvssV2_0 `{'score': 4.3, 'vector': 'AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Aandrew-me Ytdownloader

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-13T20:45:24.103Z

Updated: 2026-04-14T19:37:43.233Z

Reserved: 2026-04-13T13:29:29.072Z

Link: CVE-2026-6219

Vulnrichment

Updated: 2026-04-14T19:35:46.439Z

NVD

Status : Deferred

Published: 2026-04-13T21:16:32.410

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-6219

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-14T16:33:17Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object