External risk intelligence

yt-dlp Arbitrary File Write via Malicious OS-Shortcut Files

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-50023

yt-dlp is a command-line tool used locally by individual users to download media. It is not a network service, daemon, or internet-facing appliance, and its primary usage pattern does not involve exposing a management interface or network service to the public internet.

Yt Dlp Project Yt Dlp

before 2026.06.09

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a vulnerability in yt-dlp, a tool used for downloading audio and video content. The flaw could allow a remote attacker to write malicious shortcut files to a user's system, potentially leading to compromise. While the tool is generally used for individual media downloads, understanding its presence and use within the organization is key to assessing potential risk.

  • Attackers can write malicious shortcuts.
  • Verify this tool's use in your environment.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could trick a user into downloading a malicious link or media file using the yt-dlp tool. This would allow the attacker to write arbitrary OS-shortcut files to the user's file system, potentially leading to further compromise.

  • Remote attacker triggers via user interaction.
  • Writes malicious OS-shortcut files.
  • Arbitrary file write to filesystem.

Live Threat

Current exploitation, exposure, and threat context

A remote attacker could trick a user into downloading malicious OS-shortcut files, which might then be executed by the user's operating system. This could occur when downloading media or subtitle files, leading to unauthorized actions on the user's system.

  • User filesystems and operating systems.
  • User interaction to download malicious files.
  • Arbitrary file writes and system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts users of the yt-dlp command-line tool, potentially allowing attackers to write arbitrary OS shortcut files. Teams responsible for end-user computing or application deployments should prioritize identifying where yt-dlp is used, assess the risk to critical data or systems based on user context and reachability, and coordinate with relevant stakeholders for remediation.

  • End-user computing teams own the issue.
  • Verify yt-dlp installation and usage.
  • Plan for user-specific updates.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is yt-dlp?

yt-dlp is a popular command-line utility designed to download audio and video content from various websites. It is widely used by developers, researchers, and individuals to automate media retrieval, manage local archives, and extract subtitles or metadata from online platforms.

How does CVE-2026-50023 work?

This vulnerability falls under the CWE-641 weakness class, which involves improper sanitization of file paths. In this specific case, yt-dlp incorrectly permitted certain file extensions—specifically .desktop, .url, and .webloc—when writing shortcut files to a system. An attacker can leverage this trust to place malicious OS-shortcut files onto a user's machine, effectively bypassing security measures intended to prevent arbitrary file writes.

When does this vulnerability trigger?

The flaw requires active user interaction to trigger. It occurs when a user instructs the tool to download specific media or subtitles from a malicious source. Simply having the software installed on a system does not trigger the bug; the vulnerability only manifests when the tool is actively processing a specially crafted request from an untrusted remote entity.

Do I need to worry if I use yt-dlp?

According to Halo Surface Signal, the risk is very unlikely because yt-dlp is a local command-line tool, not a network service or public-facing appliance. Since it lacks a persistent management interface exposed to the internet, it does not typically create an external attack surface. Concern is generally limited to environments where users frequently download content from untrusted or unknown sources.

How do I fix this issue?

The primary resolution is to update your installation of yt-dlp to version 2026.06.09 or later. This release addresses the vulnerability by modifying how the tool handles shortcut extensions. If you are responsible for managing end-user software, verify existing installations and coordinate with users to ensure the latest, patched version is deployed across all machines.

References