CVE-2026-55404
Received Received - Intake

Command Injection via Malicious .url/.desktop Files in yt-dlp

Vulnerability report for CVE-2026-55404, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
yt-dlp yt-dlp 2026.7.4
youtube-dl youtube-dl to 2026.7.4 (exc)
yt-dlp yt-dlp to 2026.7.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to remote command execution if a user opens a maliciously crafted shortcut file generated by yt-dlp or youtube-dl using the affected options. An attacker can exploit this to run arbitrary commands on the victim's system.

The impact includes potential compromise of system confidentiality, integrity, and availability, as attackers could execute harmful commands remotely.

Because the attack requires user interaction (opening the malicious shortcut), the risk depends on user behavior, but the CVSS score of 7.5 indicates a high severity.

Compliance Impact

The provided information does not explicitly address how CVE-2026-55404 affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves the use of the --write-link, --write-url-link, or --write-desktop-link options in yt-dlp or youtube-dl to generate shortcut files containing untrusted metadata that can lead to command injection.

To detect if your system is vulnerable, you can check the version of yt-dlp or youtube-dl installed and whether these options have been used to generate shortcut files.

  • Run `yt-dlp --version` or `youtube-dl --version` to verify if the version is prior to 2026.7.4.
  • Search for any .url or .desktop files created by yt-dlp or youtube-dl that might contain suspicious or unexpected file:// URIs or newline characters in desktop entry keys.
  • On Linux, you can use commands like `grep -rP '\n' /path/to/shortcuts` to find newline characters in .desktop files that could indicate injection.
  • On Windows, inspect .url files for file:// URIs that are not expected or that point to remote executables.
Executive Summary

CVE-2026-55404 is a command injection vulnerability in the yt-dlp and youtube-dl tools prior to version 2026.7.4. The vulnerability arises when using the --write-link, --write-url-link, or --write-desktop-link options, which create shortcut files (.url or .desktop) containing metadata such as webpage URLs or filenames. These metadata values were not properly validated or escaped, allowing an attacker to inject malicious content.

On Windows, this could allow malicious file:// URI injection in .url files, potentially executing remote executables when the shortcut is opened. On Linux, specially crafted filenames with newline characters could manipulate .desktop files to inject shell commands, leading to command execution.

The issue was fixed in version 2026.7.4 by validating URL schemes and properly escaping filenames to prevent injection attacks.

Mitigation Strategies

The primary mitigation is to upgrade yt-dlp or youtube-dl to version 2026.7.4 or later, where the vulnerability is fixed by validating and escaping values used in shortcut file generation.

Until you can upgrade, avoid using the --write-link, --write-url-link, and --write-desktop-link options to prevent generating potentially malicious shortcut files.

Additionally, review and remove any shortcut files (.url or .desktop) created by previous versions that might contain malicious payloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55404. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart