PatchSiren cyber security CVE debrief
CVE-2026-55404 yt-dlp CVE debrief
CVE-2026-55404 is a high-severity vulnerability in yt-dlp and youtube-dl command-line audio/video downloaders. Prior to version 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping. This allows malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. The issue is fixed in version 2026.7.4. Users should review their systems and take necessary actions.
- Vendor
- yt-dlp
- Product
- Unknown
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of yt-dlp and youtube-dl command-line audio/video downloaders should be aware of this vulnerability and take defensive actions to protect themselves. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their systems and take necessary actions.
Technical summary
The vulnerability exists in the --write-link, --write-url-link, and --write-desktop-link options of yt-dlp and youtube-dl. These options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping. This allows malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. The issue is fixed in version 2026.7.4.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 2026.7.4 or later
- Use secure protocols for downloading files
- Validate and escape user-controlled metadata
- Monitor for suspicious activity
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-08T20:16:52.987Z and was last modified on 2026-07-10T19:13:03.283Z. The NVD entry is currently Undergoing Analysis. This information is based on the CVE.org and NVD sources. The vulnerability affects yt-dlp and youtube-dl command-line audio/video downloaders. Users should verify their systems and take necessary actions.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:52.987Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.