CVE-2026-50574 yt-dlp CVE debrief

Who should care

This vulnerability affects users of yt-dlp who use aria2c as an external downloader, especially those handling fragmented manifest formats. Windows users are at higher risk due to the potential for immediate code execution. All users should update to version 2026.06.09 or later to ensure their systems are protected.

Technical summary

The vulnerability in yt-dlp arises from insufficient input sanitization when using aria2c for downloading fragmented media streams. This allows attackers to manipulate file paths, potentially leading to arbitrary file writes. On Windows, this can result in immediate code execution, while on other platforms, it may lead to code execution on the next run of yt-dlp. The issue is resolved in version 2026.06.09, which properly sanitizes the input to prevent such attacks.

Defensive priority

High priority should be given to updating yt-dlp to version 2026.06.09 or later, especially for users who frequently handle media streams that require external downloaders like aria2c. Immediate action is recommended for Windows users due to the risk of immediate code execution.

Recommended defensive actions

• Update yt-dlp to version 2026.06.09 or later.
• Review and restrict the use of external downloaders like aria2c.
• Monitor for suspicious activity related to yt-dlp and aria2c.
• Implement additional security measures for media stream handling.
• Regularly update and patch all software dependencies.

Evidence notes

The CVE-2026-50574 vulnerability is documented in the official CVE record and NVD detail pages. Additional information is provided in the vendor's security advisory on GitHub. These sources confirm the vulnerability's existence, its impact, and the availability of a fix in version 2026.06.09.

Official resources