Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses

Filter by:

With package: python312Packages.yt-dlp-light

Found 1 matching suggestions

View:

Compact

Detailed

Published

Permalink CVE-2026-50023

8.3 HIGH

CVSS version (CVSS): 3.1
Attack Vector (AV): Network (N)
Attack Complexity (AC): High (H)
Privileges Required (PR): None (N)
User Interaction (UI): Required (R)
Scope (S): Changed (C)
Confidentiality (C): High (H)
Integrity (I): High (H)
Availability (A): High (H)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): High (H)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): Required (R)
Modified Confidentiality (MC): High (H)
Modified Scope (MS): Changed (C)
Modified Integrity (MI): High (H)
Modified Availability (MA): High (H)

updated 23 hours ago by @LeSuisse Activity log

Created suggestion 1 day, 9 hours ago
@LeSuisse ignored
7 packages
- python312Packages.yt-dlp
- python314Packages.yt-dlp-ejs
- python313Packages.yt-dlp-ejs
- python312Packages.yt-dlp-ejs
- python312Packages.yt-dlp-dearrow
- python313Packages.yt-dlp-dearrow
- python314Packages.yt-dlp-dearrow
23 hours ago
@LeSuisse accepted 23 hours ago
@LeSuisse published on GitHub 23 hours ago

yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. This vulnerability is fixed in 2026.06.09.

References

https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-c6mh-fpjc-4pr3 x_refsource_CONFIRM
https://github.com/yt-dlp/yt-dlp/commit/e578e265f7c6ca94a74b30e0d8d6196a4d19fb6a x_refsource_MISC
https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2026.06.09.230517 x_refsource_MISC
https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09 x_refsource_MISC

Affected products

yt-dlp

==< 2026.06.09

Matching in nixpkgs

pkgs.yt-dlp

Feature-rich command-line audio/video downloader

nixos-unstable 2026.03.17
- nixpkgs-unstable 2026.06.09
- nixos-unstable-small 2026.06.09
nixos-26.05 2026.03.17
- nixos-26.05-small 2026.03.17
- nixpkgs-26.05-darwin 2026.03.17

pkgs.yt-dlp-light

Feature-rich command-line audio/video downloader

nixos-unstable 2026.03.17
- nixpkgs-unstable 2026.06.09
- nixos-unstable-small 2026.06.09
nixos-26.05 2026.03.17
- nixos-26.05-small 2026.03.17
- nixpkgs-26.05-darwin 2026.03.17

pkgs.python313Packages.yt-dlp

Feature-rich command-line audio/video downloader

nixos-unstable 2026.03.17
- nixpkgs-unstable 2026.06.09
- nixos-unstable-small 2026.06.09
nixos-26.05 2026.03.17
- nixos-26.05-small 2026.03.17
- nixpkgs-26.05-darwin 2026.03.17

pkgs.python314Packages.yt-dlp

Feature-rich command-line audio/video downloader

nixos-unstable 2026.03.17
- nixpkgs-unstable 2026.06.09
- nixos-unstable-small 2026.06.09
nixos-26.05 2026.03.17
- nixos-26.05-small 2026.03.17
- nixpkgs-26.05-darwin 2026.03.17

pkgs.python312Packages.yt-dlp-light

None

pkgs.python313Packages.yt-dlp-light

Feature-rich command-line audio/video downloader

nixos-unstable 2026.03.17
- nixpkgs-unstable 2026.06.09
- nixos-unstable-small 2026.06.09
nixos-26.05 2026.03.17
- nixos-26.05-small 2026.03.17
- nixpkgs-26.05-darwin 2026.03.17

pkgs.python314Packages.yt-dlp-light

Feature-rich command-line audio/video downloader

nixos-unstable 2026.03.17
- nixpkgs-unstable 2026.06.09
- nixos-unstable-small 2026.06.09
nixos-26.05 2026.03.17
- nixos-26.05-small 2026.03.17
- nixpkgs-26.05-darwin 2026.03.17

Ignored packages (7)

pkgs.python312Packages.yt-dlp

None

pkgs.python312Packages.yt-dlp-ejs

None

pkgs.python313Packages.yt-dlp-ejs

External JavaScript for yt-dlp supporting many runtimes

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-26.05 0.8.0
- nixos-26.05-small 0.8.0
- nixpkgs-26.05-darwin 0.8.0

pkgs.python314Packages.yt-dlp-ejs

External JavaScript for yt-dlp supporting many runtimes

nixos-unstable 0.8.0
- nixpkgs-unstable 0.8.0
- nixos-unstable-small 0.8.0
nixos-26.05 0.8.0
- nixos-26.05-small 0.8.0
- nixpkgs-26.05-darwin 0.8.0

pkgs.python312Packages.yt-dlp-dearrow

None

pkgs.python313Packages.yt-dlp-dearrow

Post-processor plugin to use DeArrow video titles in YT-DLP

nixos-unstable 2023.01.01-unstable-2024-01-13
- nixpkgs-unstable 2023.01.01-unstable-2024-01-13
- nixos-unstable-small 2023.01.01-unstable-2024-01-13
nixos-26.05 2023.01.01-unstable-2024-01-13
- nixos-26.05-small 2023.01.01-unstable-2024-01-13
- nixpkgs-26.05-darwin 2023.01.01-unstable-2024-01-13

pkgs.python314Packages.yt-dlp-dearrow

Post-processor plugin to use DeArrow video titles in YT-DLP

nixos-unstable 2023.01.01-unstable-2024-01-13
- nixpkgs-unstable 2023.01.01-unstable-2024-01-13
- nixos-unstable-small 2023.01.01-unstable-2024-01-13
nixos-26.05 2023.01.01-unstable-2024-01-13
- nixos-26.05-small 2023.01.01-unstable-2024-01-13
- nixpkgs-26.05-darwin 2023.01.01-unstable-2024-01-13

Package maintainers

@SuperSandro2000 Sandro Jäckel <sandro.jaeckel@gmail.com>
@FlameFlag FlameFlag <github@flameflag.dev>

1