Cyber Resilience

CVE-2026-26331

HighPublic PoCRCE

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0160 72.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-26331 is a high-severity OS Command Injection (CWE-78) vulnerability in Yt-Dlp Project Yt-Dlp. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 27.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-26331 is an arbitrary command injection vulnerability in yt-dlp, a command-line audio/video downloader. It affects versions starting from 2023.06.21 up to but not including 2026.02.21, specifically when the `--netrc-cmd` command-line option or the `netrc_cmd` Python API parameter is used. A maliciously crafted URL can trigger the injection during netrc processing, enabling attackers to execute arbitrary commands on the user's system.

Exploitation requires a user to invoke yt-dlp with the vulnerable options while downloading from a malicious URL, which demands user interaction (UI:R) but no privileges (PR:N) and is network-accessible (AV:N). Although the malicious URL may appear suspicious, an attacker could covertly deliver it via an HTTP redirect from an inconspicuous webpage. Successful attacks achieve high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8.

yt-dlp version 2026.02.21 fixes the issue by validating all netrc "machine" values and raising an error on unexpected input. As a workaround, users unable to upgrade should avoid the `--netrc-cmd` option or `netrc_cmd` parameter entirely, or at least not pass a placeholder like `{}` in the argument. Details are documented in the project's GitHub security advisory (GHSA-g3gw-q23r-pgqm), release notes for 2026.02.21, and the fixing commit.

No evidence of real-world exploitation has been found, and users not employing the affected options remain unaffected. The flaw is classified under CWE-78 (OS Command Injection).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a…

more

maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability is an OS command injection (CWE-78) in the yt-dlp client application, directly enabling arbitrary command execution via a malicious URL when specific options are used, mapping to command interpreter abuse (T1059) and client-side exploitation (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-54072Same product: Yt-Dlp Project Yt-Dlp
CVE-2024-14010Shared CWE-78
CVE-2025-65480Shared CWE-78
CVE-2026-40517Shared CWE-78
CVE-2026-4946Shared CWE-78
CVE-2025-54074Shared CWE-78
CVE-2025-52626Shared CWE-78
CVE-2026-26029Shared CWE-78
CVE-2025-6514Shared CWE-78
CVE-2026-25546Shared CWE-78

Affected Assets

yt-dlp project
yt-dlp
2023.06.21 — 2026.02.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information inputs such as netrc machine values derived from URLs, directly preventing the arbitrary command injection in yt-dlp.

prevent

Ensures timely flaw remediation by updating yt-dlp to version 2026.02.21, which fixes the vulnerability through netrc machine validation.

prevent

Restricts use of non-essential functions like the --netrc-cmd option, aligning with the workaround to avoid enabling the vulnerable feature.

References