Bug 2499189 - CVE-2026-55404 yt-dlp: yt-dlp/youtube-dl: Arbitrary Code Execution via Malicious Shortcut File Generation [fedora-all]
Summary: CVE-2026-55404 yt-dlp: yt-dlp/youtube-dl: Arbitrary Code Execution via Malici...
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: yt-dlp
Version: rawhide
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Maxwell G
QA Contact:
URL:
Whiteboard: {"flaws": ["f1176377-5488-4cda-a0da-6...
Depends On:
Blocks: CVE-2026-55404
TreeView+ depends on / blocked
 
Reported: 2026-07-10 20:37 UTC by Jon Moroney
Modified: 2026-07-10 20:37 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jon Moroney 2026-07-10 20:37:20 UTC
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.


Note You need to log in before you can comment on or make changes to this bug.