SCA: security update for yt-dlp (GHSA-vx4q-3cr2-7cg2)

critical Tenable Cloud Security Plugin ID 443328

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, if aria2c is used as an external
downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently
sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows
platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to
arbitrary code execution upon the next invocation of yt-dlp. This vulnerability is fixed in 2026.06.09.
(CVE-2026-50574)

Solution

Update the yt-dlp library and its related packages to version 2026.6.9 or later.

See Also

https://github.com/advisories/GHSA-vx4q-3cr2-7cg2

Plugin Details

Severity: Critical

ID: 443328

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 6/17/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.19

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-50574

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/16/2026

Vulnerability Publication Date: 6/16/2026

Reference Information

CVE: CVE-2026-50574

cwe: CWE-74