Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/381376?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/381376?format=api", "purl": "pkg:pypi/yt-dlp@2023.7.6", "type": "pypi", "namespace": "", "name": "yt-dlp", "version": "2023.7.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2026.2.21", "latest_non_vulnerable_version": "2026.2.21", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/37162?format=api", "vulnerability_id": "VCID-65md-pf4e-jqgx", "summary": "`yt-dlp` and `youtube-dl` are command-line audio/video downloaders. Prior to the fixed versions, `yt-dlp` and `youtube-dl` do not limit the extensions of downloaded files, which could lead to arbitrary filenames being created in the download folder (and path traversal on Windows). Since `yt-dlp` and `youtube-dl` also read config from the working directory (and on Windows executables will be executed from the `yt-dlp` or `youtube-dl` directory), this could lead to arbitrary code being executed.\n\n\n\n\n`yt-dlp` version 2024.07.01 fixes this issue by whitelisting the allowed extensions. `youtube-dl` fixes this issue in commit `d42a222` on the `master` branch and in nightly builds tagged 2024-07-03 or later. This might mean some very uncommon extensions might not get downloaded, however it will also limit the possible exploitation surface. In addition to upgrading, have `.%(ext)s` at the end of the output template and make sure the user trusts the websites that they are downloading from. Also, make sure to never download to a directory within PATH or other sensitive locations like one's user directory, `system32`, or other binaries locations. For users who are not able to upgrade, keep the default output template (`-o \"%(title)s [%(id)s].%(ext)s`); make sure the extension of the media to download is a common video/audio/sub/... one; try to avoid the generic extractor; and/or use `--ignore-config --config-location ...` to not load config from common locations.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38519", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14237", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14331", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14357", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00045", "scoring_system": "epss", "scoring_elements": "0.14356", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-38519" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38519", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38519" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079502", "reference_id": "1079502", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079502" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01", "reference_id": "2024.07.01", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.07.01" }, { "reference_url": "https://github.com/ytdl-org/youtube-dl/pull/32830", "reference_id": "32830", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://github.com/ytdl-org/youtube-dl/pull/32830" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a", "reference_id": "5ce582448ececb8d9c30c8c31f58330090ced03a", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/5ce582448ececb8d9c30c8c31f58330090ced03a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38519", "reference_id": "CVE-2024-38519", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38519" }, { "reference_url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec", "reference_id": "d42a222ed541b96649396ef00e19552aef0f09ec", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://github.com/ytdl-org/youtube-dl/commit/d42a222ed541b96649396ef00e19552aef0f09ec" }, { "reference_url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq", "reference_id": "GHSA-22fp-mf44-f2mq", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://github.com/dirkf/youtube-dl/security/advisories/GHSA-22fp-mf44-f2mq" }, { "reference_url": "https://github.com/advisories/GHSA-79w7-vh3h-8g4j", "reference_id": "GHSA-79w7-vh3h-8g4j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-79w7-vh3h-8g4j" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j", "reference_id": "GHSA-79w7-vh3h-8g4j", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-79w7-vh3h-8g4j" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/", "reference_id": "GHSL-2024-089_youtube-dl", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://securitylab.github.com/advisories/GHSL-2024-089_youtube-dl/" }, { "reference_url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp", "reference_id": "GHSL-2024-090_yt-dlp", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-02T15:17:37Z/" } ], "url": "https://securitylab.github.com/advisories/GHSL-2024-090_yt-dlp" }, { "reference_url": "https://security.gentoo.org/glsa/202409-30", "reference_id": "GLSA-202409-30", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202409-30" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32383?format=api", "purl": "pkg:pypi/yt-dlp@2024.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dbrg-uvxj-qqdz" }, { "vulnerability": "VCID-nj93-7bj7-bqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2024.7.1" } ], "aliases": [ "CVE-2024-38519", "GHSA-79w7-vh3h-8g4j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-65md-pf4e-jqgx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/132530?format=api", "vulnerability_id": "VCID-9cc8-rqk4-uqh8", "summary": "yt-dlp is a youtube-dl fork with additional features and fixes. The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. Version 2023.11.14 removed the ability to smuggle `http_headers` to the Generic extractor, as well as other extractors that use the same pattern. Users are advised to upgrade. Users unable to upgrade should disable the Ggneric extractor (or only pass trusted sites with trusted content) and ake caution when using `--no-check-certificate`.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26546", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26342", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26559", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00095", "scoring_system": "epss", "scoring_elements": "0.26544", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-46121" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46121", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46121" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055996", "reference_id": "1055996", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055996" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14", "reference_id": "2023.11.14", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:18:50Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.11.14" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb", "reference_id": "f04b5bedad7b281bee9814686bba1762bae092eb", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:18:50Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/f04b5bedad7b281bee9814686bba1762bae092eb" }, { "reference_url": "https://github.com/advisories/GHSA-3ch3-jhc6-5r8x", "reference_id": "GHSA-3ch3-jhc6-5r8x", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3ch3-jhc6-5r8x" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x", "reference_id": "GHSA-3ch3-jhc6-5r8x", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-08-29T15:18:50Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-3ch3-jhc6-5r8x" }, { "reference_url": "https://security.gentoo.org/glsa/202409-30", "reference_id": "GLSA-202409-30", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202409-30" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381202?format=api", "purl": "pkg:pypi/yt-dlp@2023.11.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65md-pf4e-jqgx" }, { "vulnerability": "VCID-dbrg-uvxj-qqdz" }, { "vulnerability": "VCID-def2-csya-t7gv" }, { "vulnerability": "VCID-nj93-7bj7-bqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2023.11.14" } ], "aliases": [ "CVE-2023-46121", "GHSA-3ch3-jhc6-5r8x" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9cc8-rqk4-uqh8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/62423?format=api", "vulnerability_id": "VCID-def2-csya-t7gv", "summary": "yt-dlp is a youtube-dl fork with additional features and fixes. The patch that addressed CVE-2023-40581 attempted to prevent RCE when using `--exec` with `%q` by replacing double quotes with two double quotes. However, this escaping is not sufficient, and still allows expansion of environment variables. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2024.04.09 fixes this issue by properly escaping `%`. It replaces them with `%%cd:~,%`, a variable that expands to nothing, leaving only the leading percent. It is recommended to upgrade yt-dlp to version 2024.04.09 as soon as possible. Also, always be careful when using `--exec`, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade, avoid using any output template expansion in `--exec` other than `{}` (filepath); if expansion in `--exec` is needed, verify the fields you are using do not contain `\"`, `|` or `&`; and/or instead of using `--exec`, write the info json and load the fields from it instead.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22423", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.06497", "scoring_system": "epss", "scoring_elements": "0.91345", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.06497", "scoring_system": "epss", "scoring_elements": "0.91342", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.06497", "scoring_system": "epss", "scoring_elements": "0.91308", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.06497", "scoring_system": "epss", "scoring_elements": "0.91338", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-22423" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://www.kb.cert.org/vuls/id/123335", "reference_id": "123335", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://www.kb.cert.org/vuls/id/123335" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11", "reference_id": "2021.04.11", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2021.04.11" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09", "reference_id": "2024.04.09", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2024.04.09" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22423", "reference_id": "CVE-2024-22423", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22423" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e", "reference_id": "de015e930747165dbb8fcd360f8775fd973b7d6e", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/de015e930747165dbb8fcd360f8775fd973b7d6e" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a", "reference_id": "ff07792676f404ffff6ee61b5638c9dc1a33a37a", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/ff07792676f404ffff6ee61b5638c9dc1a33a37a" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg", "reference_id": "GHSA-42h4-v29r-42qg", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg" }, { "reference_url": "https://github.com/advisories/GHSA-hjq6-52gw-2g7p", "reference_id": "GHSA-hjq6-52gw-2g7p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-hjq6-52gw-2g7p" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p", "reference_id": "GHSA-hjq6-52gw-2g7p", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-10T19:34:51Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-hjq6-52gw-2g7p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/30249?format=api", "purl": "pkg:pypi/yt-dlp@2024.4.9", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65md-pf4e-jqgx" }, { "vulnerability": "VCID-dbrg-uvxj-qqdz" }, { "vulnerability": "VCID-nj93-7bj7-bqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2024.4.9" } ], "aliases": [ "CVE-2024-22423", "GHSA-hjq6-52gw-2g7p" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-def2-csya-t7gv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/70942?format=api", "vulnerability_id": "VCID-nj93-7bj7-bqbt", "summary": "yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26331.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26331.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26331", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44661", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44673", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44657", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00218", "scoring_system": "epss", "scoring_elements": "0.44504", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26331" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", "reference_id": "1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-24T20:08:27Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21", "reference_id": "2026.02.21", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-24T20:08:27Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442143", "reference_id": "2442143", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442143" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26331", "reference_id": "CVE-2026-26331", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26331" }, { "reference_url": "https://github.com/advisories/GHSA-g3gw-q23r-pgqm", "reference_id": "GHSA-g3gw-q23r-pgqm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g3gw-q23r-pgqm" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm", "reference_id": "GHSA-g3gw-q23r-pgqm", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-24T20:08:27Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39525?format=api", "purl": "pkg:pypi/yt-dlp@2026.2.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2026.2.21" } ], "aliases": [ "CVE-2026-26331", "GHSA-g3gw-q23r-pgqm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-nj93-7bj7-bqbt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/219333?format=api", "vulnerability_id": "VCID-qzy6-y49s-gfgu", "summary": "yt-dlp is a youtube-dl fork with additional features and fixes. yt-dlp allows the user to provide shell command lines to be executed at various stages in its download steps through the `--exec` flag. This flag allows output template expansion in its argument, so that metadata values may be used in the shell commands. The metadata fields can be combined with the `%q` conversion, which is intended to quote/escape these values so they can be safely passed to the shell. However, the escaping used for `cmd` (the shell used by Python's `subprocess` on Windows) does not properly escape special characters, which can allow for remote code execution if `--exec` is used directly with maliciously crafted remote data. This vulnerability only impacts `yt-dlp` on Windows, and the vulnerability is present regardless of whether `yt-dlp` is run from `cmd` or from `PowerShell`. Support for output template expansion in `--exec`, along with this vulnerable behavior, was added to `yt-dlp` in version 2021.04.11. yt-dlp version 2023.09.24 fixes this issue by properly escaping each special character. `\\n` will be replaced by `\\r` as no way of escaping it has been found. It is recommended to upgrade yt-dlp to version 2023.09.24 as soon as possible. Also, always be careful when using --exec, because while this specific vulnerability has been patched, using unvalidated input in shell commands is inherently dangerous. For Windows users who are not able to upgrade: 1. Avoid using any output template expansion in --exec other than {} (filepath). 2. If expansion in --exec is needed, verify the fields you are using do not contain \", | or &. 3. Instead of using --exec, write the info json and load the fields from it instead.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40581", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.12983", "scoring_system": "epss", "scoring_elements": "0.94236", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.12983", "scoring_system": "epss", "scoring_elements": "0.94256", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.12983", "scoring_system": "epss", "scoring_elements": "0.94261", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.12983", "scoring_system": "epss", "scoring_elements": "0.94263", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-40581" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.09.24.003044" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.09.24" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40581", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40581" }, { "reference_url": "https://github.com/advisories/GHSA-42h4-v29r-42qg", "reference_id": "GHSA-42h4-v29r-42qg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-42h4-v29r-42qg" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg", "reference_id": "GHSA-42h4-v29r-42qg", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-42h4-v29r-42qg" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32449?format=api", "purl": "pkg:pypi/yt-dlp@2023.9.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65md-pf4e-jqgx" }, { "vulnerability": "VCID-9cc8-rqk4-uqh8" }, { "vulnerability": "VCID-dbrg-uvxj-qqdz" }, { "vulnerability": "VCID-def2-csya-t7gv" }, { "vulnerability": "VCID-nj93-7bj7-bqbt" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2023.9.24" } ], "aliases": [ "CVE-2023-40581", "GHSA-42h4-v29r-42qg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qzy6-y49s-gfgu" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/137866?format=api", "vulnerability_id": "VCID-ap8u-u8x3-57gq", "summary": "yt-dlp is a command-line program to download videos from video sites. During file downloads, yt-dlp or the external downloaders that yt-dlp employs may leak cookies on HTTP redirects to a different host, or leak them when the host for download fragments differs from their parent manifest's host. This vulnerable behavior is present in yt-dlp prior to 2023.07.06 and nightly 2023.07.06.185519. All native and external downloaders are affected, except for `curl` and `httpie` (version 3.1.0 or later).\n\nAt the file download stage, all cookies are passed by yt-dlp to the file downloader as a `Cookie` header, thereby losing their scope. This also occurs in yt-dlp's info JSON output, which may be used by external tools. As a result, the downloader or external tool may indiscriminately send cookies with requests to domains or paths for which the cookies are not scoped.\n\nyt-dlp version 2023.07.06 and nightly 2023.07.06.185519 fix this issue by removing the `Cookie` header upon HTTP redirects; having native downloaders calculate the `Cookie` header from the cookiejar, utilizing external downloaders' built-in support for cookies instead of passing them as header arguments, disabling HTTP redirectiong if the external downloader does not have proper cookie support, processing cookies passed as HTTP headers to limit their scope, and having a separate field for cookies in the info dict storing more information about scoping\n\nSome workarounds are available for those who are unable to upgrade. Avoid using cookies and user authentication methods. While extractors may set custom cookies, these usually do not contain sensitive information. Alternatively, avoid using `--load-info-json`. Or, if authentication is a must: verify the integrity of download links from unknown sources in browser (including redirects) before passing them to yt-dlp; use `curl` as external downloader, since it is not impacted; and/or avoid fragmented formats such as HLS/m3u8, DASH/mpd and ISM.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-35934", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72339", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72347", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72257", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00689", "scoring_system": "epss", "scoring_elements": "0.72353", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-35934" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35934", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35934" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/yt-dlp/yt-dlp" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35934", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35934" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040595", "reference_id": "1040595", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040595" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079502", "reference_id": "1079502", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1079502" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729", "reference_id": "1ceb657bdd254ad961489e5060f2ccc7d556b729", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/1ceb657bdd254ad961489e5060f2ccc7d556b729" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06", "reference_id": "2023.07.06", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2023.07.06" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519", "reference_id": "2023.07.06.185519", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp-nightly-builds/releases/tag/2023.07.06.185519" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07", "reference_id": "3121512228487c9c690d3d39bfd2579addf96e07", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/3121512228487c9c690d3d39bfd2579addf96e07" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/", "reference_id": "5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5X6YT6AQE5FHM5VTQLKKJXSYBLLJF26W/" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641", "reference_id": "f8b4bcc0a791274223723488bfbfc23ea3276641", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/commit/f8b4bcc0a791274223723488bfbfc23ea3276641" }, { "reference_url": "https://github.com/advisories/GHSA-v8mc-9377-rwjj", "reference_id": "GHSA-v8mc-9377-rwjj", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v8mc-9377-rwjj" }, { "reference_url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj", "reference_id": "GHSA-v8mc-9377-rwjj", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-v8mc-9377-rwjj" }, { "reference_url": "https://security.gentoo.org/glsa/202409-30", "reference_id": "GLSA-202409-30", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202409-30" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/", "reference_id": "HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HEOKCGVONGHR2SYUIXU33A4MKXZBDP6L/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/", "reference_id": "IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IM44RJL2MR2WG3ZY354C5IUEEZUJGEVA/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/", "reference_id": "M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-19T16:47:08Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M7E7CQ5S5KMZHAMCNU7V7KYNBVCPLBHG/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/381376?format=api", "purl": "pkg:pypi/yt-dlp@2023.7.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-65md-pf4e-jqgx" }, { "vulnerability": "VCID-9cc8-rqk4-uqh8" }, { "vulnerability": "VCID-def2-csya-t7gv" }, { "vulnerability": "VCID-nj93-7bj7-bqbt" }, { "vulnerability": "VCID-qzy6-y49s-gfgu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2023.7.6" }, { "url": "http://public2.vulnerablecode.io/api/packages/393845?format=api", "purl": "pkg:pypi/yt-dlp@2023.7.6.185519", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2023.7.6.185519" } ], "aliases": [ "CVE-2023-35934", "GHSA-v8mc-9377-rwjj" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ap8u-u8x3-57gq" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/yt-dlp@2023.7.6" }