PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55404 yt-dlp CVE debrief

CVE-2026-55404 is a high-severity vulnerability in yt-dlp and youtube-dl command-line audio/video downloaders. Prior to version 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping. This allows malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. The issue is fixed in version 2026.7.4. Users should review their systems and take necessary actions.

Vendor
yt-dlp
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of yt-dlp and youtube-dl command-line audio/video downloaders should be aware of this vulnerability and take defensive actions to protect themselves. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their systems and take necessary actions.

Technical summary

The vulnerability exists in the --write-link, --write-url-link, and --write-desktop-link options of yt-dlp and youtube-dl. These options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping. This allows malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. The issue is fixed in version 2026.7.4.

Defensive priority

High

Recommended defensive actions

  • Upgrade to version 2026.7.4 or later
  • Use secure protocols for downloading files
  • Validate and escape user-controlled metadata
  • Monitor for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-08T20:16:52.987Z and was last modified on 2026-07-10T19:13:03.283Z. The NVD entry is currently Undergoing Analysis. This information is based on the CVE.org and NVD sources. The vulnerability affects yt-dlp and youtube-dl command-line audio/video downloaders. Users should verify their systems and take necessary actions.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:52.987Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.