Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-6219
5.3 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Exploit Code Maturity (E): Proof-of-Concept (P)
- Remediation Level (RL): Not Defined (X)
- Report Confidence (RC): Reasonable (R)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created suggestion
aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
References
-
VDB-357140 | aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection vdb-entrytechnical-description
-
-
Submit #785843 | Aandrew-me ytDownloader 3.20.2 Command Injection third-party-advisory
-
Submit #785844 | Aandrew-me ytDownloader 3.20.2 Command Injection (Duplicate) third-party-advisory
Affected products
ytDownloader
- ==3.20.0
- ==3.20.1
- ==3.20.2
Package maintainers
-
@chewblacka John Garcia