MEDIUM 5.0 PyPI
GHSA-3ch3-jhc6-5r8x · CVE-2023-46121 yt-dlp Generic Extractor MITM Vulnerability via Arbitrary Proxy Injection
Modified: 2/16/2024
package
PyPI / yt-dlp
pkg:pypi/yt-dlp
LOW PyPI
GHSA-3v33-3wmw-3785 yt-dlp has dependency on potentially malicious third-party code in Douyu extractors
Modified: 12/6/2024
HIGH 8.3 PyPI
GHSA-42h4-v29r-42qg · CVE-2023-40581 yt-dlp on Windows vulnerable to `--exec` command injection when using `%q`
Modified: 2/4/2026
HIGH 7.5 PyPI
GHSA-69qj-pvh9-c5wg yt-dlp: Arbitrary command injection possible if --exec option used with yt-dlp
Modified: 6/16/2026
HIGH 7.8 PyPI
GHSA-79w7-vh3h-8g4j · CVE-2024-38519 yt-dlp File system modification and RCE through improper file-extension sanitization
Modified: 2/4/2026
HIGH 8.3 PyPI
GHSA-c6mh-fpjc-4pr3 · CVE-2026-50023 yt-dlp: Dangerous file type creation via insufficient filename sanitization (Bypass of CVE-2024-38519)
Modified: 6/16/2026
MEDIUM 6.1 PyPI
GHSA-f7j3-774f-rfhj · CVE-2026-50019 yt-dlp: File Downloader cookie leak with curl
Modified: 6/16/2026
HIGH 8.8 PyPI
GHSA-g3gw-q23r-pgqm · CVE-2026-26331 yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option
Modified: 2/24/2026
HIGH 8.3 PyPI
GHSA-hjq6-52gw-2g7p · CVE-2024-22423 yt-dlp: `--exec` command injection when using `%q` in yt-dlp on Windows (Bypass of CVE-2023-40581)
Modified: 2/4/2026
MEDIUM 6.1 PyPI
GHSA-v8mc-9377-rwjj · CVE-2023-35934 yt-dlp File Downloader cookie leak
Modified: 2/16/2024
HIGH 8.3 PyPI
GHSA-vx4q-3cr2-7cg2 · CVE-2026-50574 yt-dlp: Arbitrary code execution via manifest downloads with aria2c
Modified: 6/16/2026