CVE-2025-66203

Source
https://cve.org/CVERecord?id=CVE-2025-66203
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66203.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66203
Aliases
  • GHSA-c747-q388-3v6m
Published
2025-12-26T23:37:03.817Z
Modified
2026-07-15T02:16:24.620376327Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
StreamVault is Vulnerable to Authenticated Remote Code Execution (RCE) via ytdlpargs Configuration Injection
Details

StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.

Database specific
{
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66203.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/lemon8866/streamvault

Affected ranges

Type
GIT
Repo
https://github.com/lemon8866/streamvault
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:lemon8866:streamvault:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "251126"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

Other
251118
251126

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66203.json"