Detections
Analytics
Python Library yt-dlp < 2026.6.9 Multiple Vulnerabilities
high Nessus Plugin ID 321527
Synopsis
A Python library installed on the remote host is affected by multiple vulnerabilities.Description
The detected version of the yt-dlp Python package is prior to 2026.6.9. It is, therefore, affected by multiple vulnerabilities:- A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519.
(CVE-2026-50023)
- If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. (CVE-2026-50574)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to yt-dlp version 2026.6.9 or later.See Also
Plugin Details
Severity: High
ID: 321527
File Name: python_yt_dlp_2026_6_9.nasl
Version: 1.1
Type: Local
Agent: windows, macosx, unix
Family: Misc.
Published: 6/19/2026
Updated: 6/19/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.2
CVSS v2
Risk Factor: High
Base Score: 7.6
Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-50023
CVSS v3
Risk Factor: High
Base Score: 8.3
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:yt-dlp_project:yt-dlp
Patch Publication Date: 6/10/2026
Vulnerability Publication Date: 6/16/2026
Reference Information
CVE: CVE-2026-50023, CVE-2026-50574
IAVB: 2026-B-0168