MGASA-2026-0234

Source
https://advisories.mageia.org/MGASA-2026-0234.html
Import Source
https://advisories.mageia.org/MGASA-2026-0234.json
JSON Data
https://api.osv.dev/v1/vulns/MGASA-2026-0234
Upstream
  • CVE-2026-50019
  • CVE-2026-50023
  • CVE-2026-50574
Published
2026-07-04T06:38:35Z
Modified
2026-07-04T06:45:04.544787580Z
Summary
Updated yt-dlp packages fix security vulnerabilities
Details

CVE-2026-50019 If curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. CVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. CVE-2026-50574 If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. For mageia 9 we import yt-dlp-ejs to ensure the application still works.

References
Credits

Affected packages

Mageia:10 / yt-dlp

Package

Name
yt-dlp
Purl
pkg:rpm/mageia/yt-dlp?arch=source&distro=mageia-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.06.09-1.mga10

Ecosystem specific

{
    "section": "core"
}

Database specific

source
"https://advisories.mageia.org/MGASA-2026-0234.json"

Mageia:9 / yt-dlp

Package

Name
yt-dlp
Purl
pkg:rpm/mageia/yt-dlp?arch=source&distro=mageia-9

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2026.06.09-1.1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source
"https://advisories.mageia.org/MGASA-2026-0234.json"

Mageia:9 / yt-dlp-ejs

Package

Name
yt-dlp-ejs
Purl
pkg:rpm/mageia/yt-dlp-ejs?arch=source&distro=mageia-9

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.0-1.mga9

Ecosystem specific

{
    "section": "core"
}

Database specific

source
"https://advisories.mageia.org/MGASA-2026-0234.json"