Cyber Resilience

CVE-2026-50023

HighPublic PoC

Published: 23 June 2026

Published
23 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0056 42.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-50023 is a high-severity Improper Restriction of Names for Files and Other Resources (CWE-641) vulnerability in Yt-Dlp Project Yt-Dlp. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked at the 42.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

yt-dlp is a command-line audio/video downloader. Prior to 2026.06.09, a vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. The allowlist…

more

explicitly included the unsafe extensions .desktop, .url, and .webloc so that the functionality of the --write-link option (and its variants) could be preserved. These allowlist inclusions can be exploited by an attacker to write malicious OS-shortcut files in the context of a media or subtitles download. This vulnerability is fixed in 2026.06.09.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Arbitrary write of malicious shortcut files via download directly enables ingress of attacker-controlled content onto the victim filesystem.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

yt-dlp project
yt-dlp
≤ 2026.06.09

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References