CVE-2026-50574 is a high-severity vulnerability in yt-dlp, a command-line audio/video downloader. Prior to version 2026.06.09, when using aria2c as an external downloader for fragmented manifest formats like HLS/DASH streams, yt-dlp passes insufficiently sanitized input. This allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. O [truncated]
CVE-2026-50023 is a high-severity vulnerability in yt-dlp, a command-line audio/video downloader. Prior to version 2026.06.09, the vulnerability allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem. This is possible because the allowlist for the --write-link option included unsafe extensions like .desktop, .url, and .webloc. An attacker c [truncated]
