yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.
Metrics
Affected Vendors & Products
References
History
Wed, 08 Jul 2026 20:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Yt-dlp
Yt-dlp yt-dlp |
|
| Vendors & Products |
Yt-dlp
Yt-dlp yt-dlp |
Wed, 08 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4. | |
| Title | yt-dlp: Downstream command injection via improper sanitization of yt-dlp --write-link output | |
| Weaknesses | CWE-74 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-08T19:36:48.792Z
Reserved: 2026-06-16T21:48:43.124Z
Link: CVE-2026-55404
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T20:30:04Z