Vulnerability Details CVE-2026-50023
yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. This vulnerability is fixed in 2026.06.09.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 42.1%
CVSS Severity
CVSS v3 Score 8.3
References
Products affected by CVE-2026-50023
-
cpe:2.3:a:yt-dlp_project:yt-dlp:-
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.12
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.16
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.20
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.01.29
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.15
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.19
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.02.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.03.2
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.15
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.03.24.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.04.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.04.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.04.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.05.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.05.20
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.06.23
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.07.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.07.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.07.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.08.02
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.08.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.09.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.09.02
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.09.25
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.10.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.10.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.10.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.11.10.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.12.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.12.25
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2021.12.27
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.01.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.02.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.02.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.03.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.03.08.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.04.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.05.18
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.06.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.06.22.1
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.06.29
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.07.18
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.18.36
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.08.19
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.09.01
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.10.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2022.11.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.01.02
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.01.06
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.02.17
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.03.03
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.03.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.06.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.06.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.07.06
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.09.24
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.10.07
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.10.13
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.11.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2023.11.16
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2024.04.09
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.07.21
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.08.11
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.08.20
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.08.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.08.27
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.09.05
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.09.23
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.09.26
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.10.14
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.10.22
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.11.12
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2025.12.08
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2026.01.29
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2026.01.31
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2026.02.04
-
cpe:2.3:a:yt-dlp_project:yt-dlp:2026.02.21