yt-dlp
PyPI8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting yt-dlppage 1 of 1
- CVE-2023-35934MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2023.7.062023-07-06
vulnerable: 2021.1.15 ... 2023.6.22 (72 versions)
yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for down…
- CVE-2023-40581HIGHCVSS 8.3EG 8.3✓ Fixed in 2023.09.242023-09-25
vulnerable: 2021.10.10 ... 2023.7.6 (51 versions)
yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expans…
- CVE-2023-46121LOWCVSS 3.7EG 5.0✓ Fixed in 2023.11.142023-11-15
vulnerable: 2022.10.4 ... 2023.9.24 (15 versions)
yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from …
- CVE-2024-22423HIGHCVSS 8.3EG 8.3✓ Fixed in 2024.04.092024-04-09
vulnerable: 2021.10.10 ... 2024.4.8.232708.dev0 (139 versions)
yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not…
- CVE-2024-38519HIGHCVSS 7.8EG 7.8✓ Fixed in 2024.07.012024-07-02
vulnerable: 2021.1.15 ... 2024.6.30.232744.dev0 (201 versions)
`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the downl…
- CVE-2026-50019HIGHCVSS 7.4EG 7.4✓ Fixed in 2026.6.92026-06-16
vulnerable: 2023.10.13 ... 2026.6.6.234447.dev0 (523 versions)
yt-dlp is a command-line audio/video downloader. From 2023.09.24 until 2026.06.09, if curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments…
- CVE-2026-50023CRITICALCVSS 9.6EG 9.6✓ Fixed in 2026.6.92026-06-16
vulnerable: 2021.1.15 ... 2026.6.6.234447.dev0 (596 versions)
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing…
- CVE-2026-50574CRITICALCVSS 9.6EG 9.6✓ Fixed in 2026.6.92026-06-16
vulnerable: 2021.1.15 ... 2026.6.6.234447.dev0 (596 versions)
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that al…
Check whether yt-dlp is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for yt-dlp CVEs against the assets you own.
Start Free Scan →