SCA: security update for yt-dlp (GHSA-g3gw-q23r-pgqm)

high Tenable Self-Hosted Container Security Plugin ID 437933

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version
2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used,
an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL.
yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in
their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted
URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage
with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without
`--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been
found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all
netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable
to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter),
or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument. (CVE-2026-26331)

See Also

https://github.com/advisories/GHSA-g3gw-q23r-pgqm

Plugin Details

Severity: High

ID: 437933

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 2/24/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.49

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-26331

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/23/2026

Vulnerability Publication Date: 2/23/2026

Reference Information

CVE: CVE-2026-26331

cwe: CWE-78