PYSEC-2026-3431

Vulnerability from pysec - Published: 2026-07-13 15:46 - Updated: 2026-07-13 16:07
VLAI
Details

Summary

If curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's.

This is the equivalent to GHSA-v8mc-9377-rwjj for the curl downloader. The vulnerable behavior is present in yt-dlp released since 2023.09.24.

Details

At the file download stage, the cookies are passed by yt-dlp to the file downloader via --cookie. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, curl will send cookies with requests to domains or paths for which the cookies are not scoped.

An example of a potential attack scenario exploiting this vulnerability: 1. an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an unvalidated redirect to a target URL. 2. yt-dlp extracts this URL and calculates the cookies which are then passed to curl. 3. the download URL redirects to a server controlled by the attacker, to which curl forwards the user's sensitive cookie information.

Patches

yt-dlp version 2026.06.09 fixes this issue by doing the following:

  • Pass the cookies through stdin via --cookie - if curl is version 7.59 or higher.
  • Pass the cookies via --cookie /dev/fd/0 if the system supports this device file.
  • In all other cases create a temporary file, save the cookies and then pass via --cookie <file>.

Workarounds

It is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.

For users who are not able to upgrade:

  • Do not use --downloader curl.
Impacted products
Name purl
yt-dlp pkg:pypi/yt-dlp

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "yt-dlp",
        "purl": "pkg:pypi/yt-dlp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2023.9.24"
            },
            {
              "fixed": "2026.6.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2023.10.13",
        "2023.10.7",
        "2023.11.13.232715.dev0",
        "2023.11.13.5826.dev0",
        "2023.11.14",
        "2023.11.15.232826.dev0",
        "2023.11.16",
        "2023.11.16.232727.dev0",
        "2023.11.18.232705.dev0",
        "2023.11.19.232719.dev0",
        "2023.11.20.232729.dev0",
        "2023.11.26.232703.dev0",
        "2023.11.28.232715.dev0",
        "2023.11.29.232714.dev0",
        "2023.12.12.232727.dev0",
        "2023.12.13.232710.dev0",
        "2023.12.17.232710.dev0",
        "2023.12.18.232711.dev0",
        "2023.12.19.232701.dev0",
        "2023.12.20.232717.dev0",
        "2023.12.21.232720.dev0",
        "2023.12.22.232735.dev0",
        "2023.12.24.232657.dev0",
        "2023.12.26.232752.dev0",
        "2023.12.30",
        "2023.12.30.232719.dev0",
        "2023.12.31.232713.dev0",
        "2023.12.5.232702.dev0",
        "2023.12.6.232721.dev0",
        "2023.9.24",
        "2024.1.14.232710.dev0",
        "2024.1.18.232658.dev0",
        "2024.1.19.232708.dev0",
        "2024.1.2.232714.dev0",
        "2024.1.20.232722.dev0",
        "2024.1.21.232719.dev0",
        "2024.1.22.232713.dev0",
        "2024.1.23.232723.dev0",
        "2024.1.28.232706.dev0",
        "2024.1.29.232706.dev0",
        "2024.1.31.232703.dev0",
        "2024.1.5.232702.dev0",
        "2024.1.8.232709.dev0",
        "2024.1.9.232723.dev0",
        "2024.10.1.232843.dev0",
        "2024.10.10.232848.dev0",
        "2024.10.11.232837.dev0",
        "2024.10.12.232856.dev0",
        "2024.10.13.232959.dev0",
        "2024.10.14.232841.dev0",
        "2024.10.15.232919.dev0",
        "2024.10.16.232911.dev0",
        "2024.10.19.232833.dev0",
        "2024.10.20.232914.dev0",
        "2024.10.22",
        "2024.10.22.232922.dev0",
        "2024.10.22.51025.dev0",
        "2024.10.23.232902.dev0",
        "2024.10.24.232910.dev0",
        "2024.10.25.232902.dev0",
        "2024.10.26.232826.dev0",
        "2024.10.27.232921.dev0",
        "2024.10.28.232846.dev0",
        "2024.10.29.232854.dev0",
        "2024.10.31.232951.dev0",
        "2024.10.7",
        "2024.10.7.232845.dev0",
        "2024.11.10.232816.dev0",
        "2024.11.11.232805.dev0",
        "2024.11.12.232900.dev0",
        "2024.11.15.232903.dev0",
        "2024.11.16.232922.dev0",
        "2024.11.17.232856.dev0",
        "2024.11.18",
        "2024.11.18.232921.dev0",
        "2024.11.2.232942.dev0",
        "2024.11.23.232923.dev0",
        "2024.11.24.232931.dev0",
        "2024.11.26.232922.dev0",
        "2024.11.27.232921.dev0",
        "2024.11.3.232912.dev0",
        "2024.11.4",
        "2024.11.4.232933.dev0",
        "2024.11.6.232826.dev0",
        "2024.11.9.232836.dev0",
        "2024.12.1.232904.dev0",
        "2024.12.12.232950.dev0",
        "2024.12.13",
        "2024.12.13.232928.dev0",
        "2024.12.15.232913.dev0",
        "2024.12.2.233010.dev0",
        "2024.12.23",
        "2024.12.23.232812.dev0",
        "2024.12.26.232815.dev0",
        "2024.12.3",
        "2024.12.3.232932.dev0",
        "2024.12.4.232942.dev0",
        "2024.12.6",
        "2024.12.6.161513.dev0",
        "2024.2.13.232701.dev0",
        "2024.2.14.232704.dev0",
        "2024.2.15.232705.dev0",
        "2024.2.16.232705.dev0",
        "2024.2.17.232706.dev0",
        "2024.2.18.232707.dev0",
        "2024.2.19.232703.dev0",
        "2024.2.2.232707.dev0",
        "2024.2.20.232712.dev0",
        "2024.2.21.232721.dev0",
        "2024.2.22.232849.dev0",
        "2024.2.23.232656.dev0",
        "2024.2.24.232815.dev0",
        "2024.2.25.232703.dev0",
        "2024.2.28.232744.dev0",
        "2024.2.29.232658.dev0",
        "2024.2.3.232712.dev0",
        "2024.2.4.232659.dev0",
        "2024.2.5.232712.dev0",
        "2024.2.9.232659.dev0",
        "2024.3.10",
        "2024.3.10.232703.dev0",
        "2024.3.14.232657.dev0",
        "2024.3.17.232657.dev0",
        "2024.3.18.232707.dev0",
        "2024.3.19.232701.dev0",
        "2024.3.2.232720.dev0",
        "2024.3.20.232704.dev0",
        "2024.3.22.232703.dev0",
        "2024.3.29.232706.dev0",
        "2024.3.3.232706.dev0",
        "2024.3.30.232704.dev0",
        "2024.3.31.232706.dev0",
        "2024.3.4.232716.dev0",
        "2024.3.6.232659.dev0",
        "2024.3.7.232716.dev0",
        "2024.3.8.232718.dev0",
        "2024.3.9.232714.dev0",
        "2024.4.1.232704.dev0",
        "2024.4.13.232802.dev0",
        "2024.4.18.232703.dev0",
        "2024.4.20.232659.dev0",
        "2024.4.21.232710.dev0",
        "2024.4.28.232723.dev0",
        "2024.4.3.233315.dev0",
        "2024.4.4.232729.dev0",
        "2024.4.6.232655.dev0",
        "2024.4.7.232657.dev0",
        "2024.4.8.232708.dev0",
        "2024.4.9",
        "2024.4.9.232723.dev0",
        "2024.5.10.232705.dev0",
        "2024.5.11.232654.dev0",
        "2024.5.12.232709.dev0",
        "2024.5.13.232704.dev0",
        "2024.5.16.232713.dev0",
        "2024.5.17.232726.dev0",
        "2024.5.18.232655.dev0",
        "2024.5.20.232721.dev0",
        "2024.5.22.232749.dev0",
        "2024.5.23.232707.dev0",
        "2024.5.25.232709.dev0",
        "2024.5.26",
        "2024.5.26.232731.dev0",
        "2024.5.27",
        "2024.5.27.232744.dev0",
        "2024.5.29.232700.dev0",
        "2024.5.30.232720.dev0",
        "2024.5.4.232706.dev0",
        "2024.5.5.232701.dev0",
        "2024.5.8.232715.dev0",
        "2024.6.1.232725.dev0",
        "2024.6.11.232712.dev0",
        "2024.6.13.232720.dev0",
        "2024.6.15.232712.dev0",
        "2024.6.16.232832.dev0",
        "2024.6.17.232743.dev0",
        "2024.6.20.232815.dev0",
        "2024.6.21.232706.dev0",
        "2024.6.22.232706.dev0",
        "2024.6.24.232830.dev0",
        "2024.6.27.232805.dev0",
        "2024.6.29.232730.dev0",
        "2024.6.30.232744.dev0",
        "2024.7.1",
        "2024.7.1.232715.dev0",
        "2024.7.10.232707.dev0",
        "2024.7.11.232833.dev0",
        "2024.7.12.232729.dev0",
        "2024.7.13.232701.dev0",
        "2024.7.14.232743.dev0",
        "2024.7.15.232803.dev0",
        "2024.7.16",
        "2024.7.16.232919.dev0",
        "2024.7.19.25855.dev0",
        "2024.7.2",
        "2024.7.2.232715.dev0",
        "2024.7.23.232906.dev0",
        "2024.7.24.232745.dev0",
        "2024.7.25",
        "2024.7.25.232820.dev0",
        "2024.7.29.232758.dev0",
        "2024.7.3.232825.dev0",
        "2024.7.30.232707.dev0",
        "2024.7.31.232733.dev0",
        "2024.7.5.232716.dev0",
        "2024.7.6.232701.dev0",
        "2024.7.7",
        "2024.7.7.232743.dev0",
        "2024.7.8",
        "2024.7.8.232708.dev0",
        "2024.7.9",
        "2024.7.9.232843.dev0",
        "2024.8.1",
        "2024.8.1.232808.dev0",
        "2024.8.12.232840.dev0",
        "2024.8.13.232739.dev0",
        "2024.8.15.233031.dev0",
        "2024.8.18.232809.dev0",
        "2024.8.19.232821.dev0",
        "2024.8.21.232751.dev0",
        "2024.8.26.232811.dev0",
        "2024.8.4.232814.dev0",
        "2024.8.5.232823.dev0",
        "2024.8.6",
        "2024.8.6.232802.dev0",
        "2024.9.1.235933.dev0",
        "2024.9.13.232912.dev0",
        "2024.9.14.232748.dev0",
        "2024.9.17.232940.dev0",
        "2024.9.2.232855.dev0",
        "2024.9.24.232842.dev0",
        "2024.9.25.232842.dev0",
        "2024.9.26.232938.dev0",
        "2024.9.27",
        "2024.9.27.232842.dev0",
        "2024.9.29.232819.dev0",
        "2024.9.30.232929.dev0",
        "2024.9.5.232840.dev0",
        "2024.9.7.232731.dev0",
        "2024.9.8.232909.dev0",
        "2025.1.11.232806.dev0",
        "2025.1.12",
        "2025.1.12.232754.dev0",
        "2025.1.15",
        "2025.1.15.232837.dev0",
        "2025.1.16.232854.dev0",
        "2025.1.19.232735.dev0",
        "2025.1.20.232744.dev0",
        "2025.1.21.232800.dev0",
        "2025.1.23.232810.dev0",
        "2025.1.26",
        "2025.1.26.34637.dev0",
        "2025.1.28.232803.dev0",
        "2025.1.29.232818.dev0",
        "2025.1.30.232843.dev0",
        "2025.10.1.232815.dev0",
        "2025.10.11.232807.dev0",
        "2025.10.12.232804.dev0",
        "2025.10.14",
        "2025.10.14.232845.dev0",
        "2025.10.15.232824.dev0",
        "2025.10.18.232824.dev0",
        "2025.10.22",
        "2025.10.22.193525.dev0",
        "2025.10.22.232844.dev0",
        "2025.10.24.232923.dev0",
        "2025.10.25.232842.dev0",
        "2025.10.27.232853.dev0",
        "2025.10.28.232931.dev0",
        "2025.10.31.222828.dev0",
        "2025.11.1.232827.dev0",
        "2025.11.1.73148.dev0",
        "2025.11.11.5312.dev0",
        "2025.11.12",
        "2025.11.12.5349.dev0",
        "2025.11.14.235840.dev0",
        "2025.11.15.232912.dev0",
        "2025.11.16.232923.dev0",
        "2025.11.18.232918.dev0",
        "2025.11.19.232938.dev0",
        "2025.11.20.232939.dev0",
        "2025.11.21.232936.dev0",
        "2025.11.23.233008.dev0",
        "2025.11.23.5251.dev0",
        "2025.11.24.232953.dev0",
        "2025.11.28.232930.dev0",
        "2025.11.29.232949.dev0",
        "2025.11.3.233024.dev0",
        "2025.11.5.232946.dev0",
        "2025.11.7.232914.dev0",
        "2025.11.8.232845.dev0",
        "2025.11.9.232846.dev0",
        "2025.12.1.10606.dev0",
        "2025.12.1.233105.dev0",
        "2025.12.1.51642.dev0",
        "2025.12.12.233036.dev0",
        "2025.12.13.232949.dev0",
        "2025.12.15.233113.dev0",
        "2025.12.18.235942.dev0",
        "2025.12.19.233017.dev0",
        "2025.12.20.232942.dev0",
        "2025.12.24.233043.dev0",
        "2025.12.25.233051.dev0",
        "2025.12.26.233056.dev0",
        "2025.12.29.233040.dev0",
        "2025.12.3.233056.dev0",
        "2025.12.30.233018.dev0",
        "2025.12.31.233056.dev0",
        "2025.12.4.233042.dev0",
        "2025.12.5.232956.dev0",
        "2025.12.6.232939.dev0",
        "2025.12.8",
        "2025.12.8.550.dev0",
        "2025.12.9.233030.dev0",
        "2025.2.10.232934.dev0",
        "2025.2.11.232920.dev0",
        "2025.2.19",
        "2025.2.19.23542.dev0",
        "2025.2.20.232914.dev0",
        "2025.2.21.232913.dev0",
        "2025.2.22.232738.dev0",
        "2025.2.23.232748.dev0",
        "2025.2.26.232946.dev0",
        "2025.2.28.232826.dev0",
        "2025.2.8.232844.dev0",
        "2025.2.9.232824.dev0",
        "2025.3.13.232844.dev0",
        "2025.3.15.232805.dev0",
        "2025.3.16.232921.dev0",
        "2025.3.2.232817.dev0",
        "2025.3.21",
        "2025.3.21.232842.dev0",
        "2025.3.22.232834.dev0",
        "2025.3.23.232844.dev0",
        "2025.3.25",
        "2025.3.25.703.dev0",
        "2025.3.26",
        "2025.3.26.420.dev0",
        "2025.3.27",
        "2025.3.27.233514.dev0",
        "2025.3.28.232920.dev0",
        "2025.3.3.232847.dev0",
        "2025.3.30.232927.dev0",
        "2025.3.31",
        "2025.3.31.214356.dev0",
        "2025.3.4.232844.dev0",
        "2025.3.5.232947.dev0",
        "2025.3.7.232704.dev0",
        "2025.4.18.232954.dev0",
        "2025.4.19.232942.dev0",
        "2025.4.23.1659.dev0",
        "2025.4.23.232926.dev0",
        "2025.4.24.232927.dev0",
        "2025.4.25.232910.dev0",
        "2025.4.26.232923.dev0",
        "2025.4.27.233024.dev0",
        "2025.4.28.232934.dev0",
        "2025.4.29.232920.dev0",
        "2025.4.30",
        "2025.4.30.232944.dev0",
        "2025.4.5.232914.dev0",
        "2025.4.6.232826.dev0",
        "2025.5.10.232848.dev0",
        "2025.5.11.232911.dev0",
        "2025.5.16.232928.dev0",
        "2025.5.17.232915.dev0",
        "2025.5.18.232948.dev0",
        "2025.5.20.232932.dev0",
        "2025.5.21.232935.dev0",
        "2025.5.22",
        "2025.5.22.232956.dev0",
        "2025.5.22.93922.dev0",
        "2025.5.23.233016.dev0",
        "2025.5.26.232937.dev0",
        "2025.5.27.232941.dev0",
        "2025.5.28.232948.dev0",
        "2025.5.3.232917.dev0",
        "2025.5.30.233011.dev0",
        "2025.5.5.232943.dev0",
        "2025.5.6.232932.dev0",
        "2025.6.1.232947.dev0",
        "2025.6.12.233004.dev0",
        "2025.6.25",
        "2025.6.25.235247.dev0",
        "2025.6.26.233029.dev0",
        "2025.6.27.233026.dev0",
        "2025.6.28.234349.dev0",
        "2025.6.29.233002.dev0",
        "2025.6.3.233020.dev0",
        "2025.6.30",
        "2025.6.30.233919.dev0",
        "2025.6.5.233116.dev0",
        "2025.6.6.233002.dev0",
        "2025.6.7.233023.dev0",
        "2025.6.8.232939.dev0",
        "2025.6.9",
        "2025.6.9.234059.dev0",
        "2025.7.1.235725.dev0",
        "2025.7.11.233035.dev0",
        "2025.7.12.233122.dev0",
        "2025.7.13.233101.dev0",
        "2025.7.14.233051.dev0",
        "2025.7.16.233138.dev0",
        "2025.7.18.233100.dev0",
        "2025.7.19.233203.dev0",
        "2025.7.2.233055.dev0",
        "2025.7.21",
        "2025.7.21.234438.dev0",
        "2025.7.22.233113.dev0",
        "2025.7.23.233136.dev0",
        "2025.7.24.233125.dev0",
        "2025.7.25.233059.dev0",
        "2025.7.26.233101.dev0",
        "2025.7.27.233142.dev0",
        "2025.7.29.233301.dev0",
        "2025.7.30.233130.dev0",
        "2025.7.31.233123.dev0",
        "2025.7.5.233013.dev0",
        "2025.7.6.233008.dev0",
        "2025.7.7.233044.dev0",
        "2025.7.8.233037.dev0",
        "2025.7.9.233050.dev0",
        "2025.8.1.233124.dev0",
        "2025.8.11",
        "2025.8.11.34503.dev0",
        "2025.8.12.233030.dev0",
        "2025.8.13.233032.dev0",
        "2025.8.16.232932.dev0",
        "2025.8.18.232943.dev0",
        "2025.8.19.232936.dev0",
        "2025.8.2.233207.dev0",
        "2025.8.20",
        "2025.8.20.232911.dev0",
        "2025.8.20.24358.dev0",
        "2025.8.21.235612.dev0",
        "2025.8.22",
        "2025.8.22.235700.dev0",
        "2025.8.22.31729.dev0",
        "2025.8.23.234735.dev0",
        "2025.8.27",
        "2025.8.27.235607.dev0",
        "2025.8.28.232853.dev0",
        "2025.8.29.232845.dev0",
        "2025.8.3.233131.dev0",
        "2025.8.30.232839.dev0",
        "2025.8.5.233158.dev0",
        "2025.8.6.233141.dev0",
        "2025.8.7.233150.dev0",
        "2025.8.8.233030.dev0",
        "2025.9.10.232823.dev0",
        "2025.9.11.232836.dev0",
        "2025.9.12.232737.dev0",
        "2025.9.13.232728.dev0",
        "2025.9.16.232710.dev0",
        "2025.9.17.232802.dev0",
        "2025.9.19.232813.dev0",
        "2025.9.21.232818.dev0",
        "2025.9.22.232823.dev0",
        "2025.9.23",
        "2025.9.23.232818.dev0",
        "2025.9.23.64003.dev0",
        "2025.9.26",
        "2025.9.26.220624.dev0",
        "2025.9.30.72057.dev0",
        "2025.9.5",
        "2025.9.5.224711.dev0",
        "2025.9.7.232816.dev0",
        "2025.9.7.655.dev0",
        "2025.9.8.232917.dev0",
        "2026.1.1.233103.dev0",
        "2026.1.16.233125.dev0",
        "2026.1.19.233146.dev0",
        "2026.1.19.359.dev0",
        "2026.1.2.233036.dev0",
        "2026.1.25.233128.dev0",
        "2026.1.27.233257.dev0",
        "2026.1.29",
        "2026.1.29.165626.dev0",
        "2026.1.3.233044.dev0",
        "2026.1.30.233459.dev0",
        "2026.1.31",
        "2026.1.31.233334.dev0",
        "2026.1.4.233103.dev0",
        "2026.1.5.233118.dev0",
        "2026.1.6.233142.dev0",
        "2026.2.12.233641.dev0",
        "2026.2.16.233630.dev0",
        "2026.2.17.233631.dev0",
        "2026.2.18.235726.dev0",
        "2026.2.19.233638.dev0",
        "2026.2.20.235452.dev0",
        "2026.2.21",
        "2026.2.21.202150.dev0",
        "2026.2.22.233517.dev0",
        "2026.2.26.233640.dev0",
        "2026.2.3.233612.dev0",
        "2026.2.4",
        "2026.2.4.233607.dev0",
        "2026.2.6.233518.dev0",
        "2026.2.7.233648.dev0",
        "2026.2.9.233747.dev0",
        "2026.3.10.233607.dev0",
        "2026.3.11.233532.dev0",
        "2026.3.13",
        "2026.3.13.83652.dev0",
        "2026.3.17",
        "2026.3.17.232108.dev0",
        "2026.3.2.233544.dev0",
        "2026.3.21.233500.dev0",
        "2026.3.29.233709.dev0",
        "2026.3.3",
        "2026.3.3.162408.dev0",
        "2026.4.10.235301.dev0",
        "2026.4.30.234007.dev0",
        "2026.4.4.233651.dev0",
        "2026.4.5.233732.dev0",
        "2026.4.7.233742.dev0",
        "2026.5.16.233954.dev0",
        "2026.5.24.234402.dev0",
        "2026.5.25.234532.dev0",
        "2026.5.3.233852.dev0",
        "2026.5.5.233942.dev0",
        "2026.6.6.234447.dev0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-50019",
    "GHSA-f7j3-774f-rfhj"
  ],
  "details": "### Summary\nIf curl is used an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest\u0027s.\n\nThis is the equivalent to [GHSA-v8mc-9377-rwjj](\u003chttps://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj\u003e) for the `curl` downloader. The vulnerable behavior is present in [yt-dlp](https://github.com/yt-dlp/yt-dlp) released since 2023.09.24.\n\n### Details\nAt the file download stage, the cookies are passed by yt-dlp to the file downloader via `--cookie`. However, unless these are loaded from a file, this operation does not activate the cookie engine. As a result, `curl` will send cookies with requests to domains or paths for which the cookies are not scoped.\n\nAn example of a potential attack scenario exploiting this vulnerability:\n1. an attacker has crafted a malicious website with an embedded URL designed to be detected by yt-dlp as a video download. This embedded URL has the domain of a trusted site that the user has loaded cookies for, and conducts an [unvalidated redirect](https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html) to a target URL.\n2. yt-dlp extracts this URL and calculates the cookies which are then passed to `curl`.\n3. the download URL redirects to a server controlled by the attacker, to which `curl` forwards the user\u0027s sensitive cookie information.\n\n### Patches\nyt-dlp version 2026.06.09 fixes this issue by doing the following:\n\n- Pass the cookies through stdin via `--cookie -` if `curl` is version 7.59 or higher.\n- Pass the cookies via `--cookie /dev/fd/0` if the system supports this device file.\n- In all other cases create a temporary file, save the cookies and then pass via `--cookie \u003cfile\u003e`.\n\n### Workarounds\nIt is recommended to upgrade yt-dlp to version 2026.06.09 as soon as possible.\n\nFor users who are not able to upgrade:\n\n- Do not use `--downloader curl`.",
  "id": "PYSEC-2026-3431",
  "modified": "2026-07-13T16:07:35.180462Z",
  "published": "2026-07-13T15:46:18.085308Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/commit/2726572520238356bcf64aba2040228648b44c82"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/yt-dlp/yt-dlp"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2026.06.09.230517"
    },
    {
      "type": "WEB",
      "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09"
    },
    {
      "type": "PACKAGE",
      "url": "https://pypi.org/project/yt-dlp"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-f7j3-774f-rfhj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50019"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "yt-dlp: File Downloader cookie leak with curl "
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…