Search criteria
3 vulnerabilities by aandrew-me
CVE-2026-8210 (GCVE-0-2026-8210)
Vulnerability from cvelistv5 – Published: 2026-05-09 21:00 – Updated: 2026-05-12 02:30
VLAI
Title
aandrew-me tgpt Update helper.go helper.Update command injection
Summary
A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/362418 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/362418/cti | signaturepermissions-required |
| https://vuldb.com/submit/803594 | third-party-advisory |
| https://drive.google.com/file/d/19wRsehbhotZXgE1T… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| aandrew-me | tgpt |
Affected:
2.11.0
Affected: 2.11.1 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T02:29:54.775402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T02:30:10.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Update Handler"
],
"product": "tgpt",
"vendor": "aandrew-me",
"versions": [
{
"status": "affected",
"version": "2.11.0"
},
{
"status": "affected",
"version": "2.11.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "hai271120 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T21:00:11.816Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-362418 | aandrew-me tgpt Update helper.go helper.Update command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/362418"
},
{
"name": "VDB-362418 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/362418/cti"
},
{
"name": "Submit #803594 | aandrew-me tgpt v2.11.1 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/803594"
},
{
"tags": [
"exploit"
],
"url": "https://drive.google.com/file/d/19wRsehbhotZXgE1TjenFtS3w-zRtp-PW/view?usp=sharing"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-09T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-05-09T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-05-09T08:12:43.000Z",
"value": "VulDB entry last update"
}
],
"title": "aandrew-me tgpt Update helper.go helper.Update command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-8210",
"datePublished": "2026-05-09T21:00:11.816Z",
"dateReserved": "2026-05-09T06:07:36.666Z",
"dateUpdated": "2026-05-12T02:30:10.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6219 (GCVE-0-2026-6219)
Vulnerability from cvelistv5 – Published: 2026-04-13 20:45 – Updated: 2026-04-14 19:37
VLAI
Title
aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
Summary
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/357140 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/357140/cti | signaturepermissions-required |
| https://vuldb.com/submit/785843 | third-party-advisory |
| https://vuldb.com/submit/785844 | third-party-advisory |
| https://gist.github.com/ngocnn97/53a9f251d1cb99b1… | related |
| https://github.com/ngocnn97/security-advisories/b… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| aandrew-me | ytDownloader |
Affected:
3.20.0
Affected: 3.20.1 Affected: 3.20.2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T19:34:54.318102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T19:37:43.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Compressor Feature"
],
"product": "ytDownloader",
"vendor": "aandrew-me",
"versions": [
{
"status": "affected",
"version": "3.20.0"
},
{
"status": "affected",
"version": "3.20.1"
},
{
"status": "affected",
"version": "3.20.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ngocnn97 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "Command Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:45:24.103Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-357140 | aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/357140"
},
{
"name": "VDB-357140 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/357140/cti"
},
{
"name": "Submit #785843 | Aandrew-me ytDownloader 3.20.2 Command Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/785843"
},
{
"name": "Submit #785844 | Aandrew-me ytDownloader 3.20.2 Command Injection (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/785844"
},
{
"tags": [
"related"
],
"url": "https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-13T15:44:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6219",
"datePublished": "2026-04-13T20:45:24.103Z",
"dateReserved": "2026-04-13T13:29:29.072Z",
"dateUpdated": "2026-04-14T19:37:43.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6218 (GCVE-0-2026-6218)
Vulnerability from cvelistv5 – Published: 2026-04-13 20:30 – Updated: 2026-04-14 13:05
VLAI
Title
aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting
Summary
A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://vuldb.com/vuln/357139 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/357139/cti | signaturepermissions-required |
| https://vuldb.com/submit/785842 | third-party-advisory |
| https://github.com/ngocnn97/security-advisories/b… | exploit |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| aandrew-me | ytDownloader |
Affected:
3.20.0
Affected: 3.20.1 Affected: 3.20.2 |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6218",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:05:05.445688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:05:33.179Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Error Details Panel"
],
"product": "ytDownloader",
"vendor": "aandrew-me",
"versions": [
{
"status": "affected",
"version": "3.20.0"
},
{
"status": "affected",
"version": "3.20.1"
},
{
"status": "affected",
"version": "3.20.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ngocnn97 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:X/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:ND/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T20:30:14.394Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-357139 | aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/357139"
},
{
"name": "VDB-357139 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/357139/cti"
},
{
"name": "Submit #785842 | Aandrew-me ytDownloader 3.20.2 Remote code execution via DOM XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/785842"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-13T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-13T15:35:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-6218",
"datePublished": "2026-04-13T20:30:14.394Z",
"dateReserved": "2026-04-13T13:29:24.363Z",
"dateUpdated": "2026-04-14T13:05:33.179Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}