{"id":"DEBIAN-CVE-2026-26331","details":"yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.","modified":"2026-03-11T07:38:16.304596Z","published":"2026-02-24T03:16:01.710Z","upstream":["CVE-2026-26331"],"references":[{"type":"ADVISORY","url":"https://security-tracker.debian.org/tracker/CVE-2026-26331"}],"affected":[{"package":{"name":"yt-dlp","ecosystem":"Debian:13","purl":"pkg:deb/debian/yt-dlp?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2025.04.30-1","2025.05.22-1","2025.06.09-1","2025.06.25-1","2025.06.30-1","2025.07.21-1","2025.08.11-1","2025.08.11-1~bpo13+1","2025.08.20-1","2025.08.22-1","2025.08.27-1","2025.08.27-1~bpo13+1","2025.09.05-1","2025.09.05-1~bpo13+1","2025.09.23-1","2025.09.26-1","2025.09.26-1~bpo13+1","2025.10.14-1","2025.10.14-1~bpo13+1","2025.10.22-1","2025.10.22-1~bpo13+1","2025.11.12-1","2025.11.12-1~bpo13+1","2025.12.08-1","2025.12.08-1~bpo13+1","2026.01.31-1","2026.01.31-1~bpo13+1","2026.02.21-1","2026.02.21-1~bpo13+1","2026.03.03-1","2026.03.03-1~bpo13+1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26331.json"}},{"package":{"name":"yt-dlp","ecosystem":"Debian:14","purl":"pkg:deb/debian/yt-dlp?arch=source"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2026.02.21-1"}]}],"versions":["2025.04.30-1","2025.05.22-1","2025.06.09-1","2025.06.25-1","2025.06.30-1","2025.07.21-1","2025.08.11-1","2025.08.11-1~bpo13+1","2025.08.20-1","2025.08.22-1","2025.08.27-1","2025.08.27-1~bpo13+1","2025.09.05-1","2025.09.05-1~bpo13+1","2025.09.23-1","2025.09.26-1","2025.09.26-1~bpo13+1","2025.10.14-1","2025.10.14-1~bpo13+1","2025.10.22-1","2025.10.22-1~bpo13+1","2025.11.12-1","2025.11.12-1~bpo13+1","2025.12.08-1","2025.12.08-1~bpo13+1","2026.01.31-1","2026.01.31-1~bpo13+1","2026.02.21-1~bpo13+1"],"ecosystem_specific":{"urgency":"not yet assigned"},"database_specific":{"source":"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26331.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}