Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Mageia yt-dlp Important Issues CVE-2026-50019 Remote Code Execution

mageia
Calendar Grey July 4, 2026
Dist Mageia Esm H88
Critical security issues in yt-dlp for Mageia. Update needed to prevent code execution and potential cookie leaks.
Security update

Summary

Description: CVE-2026-50019 If curl is used as an external downloader for yt-dlp, cookies may be leaked to an unintended host upon HTTP redirect or when the host for download fragments differs from their parent manifest's. CVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem, bypassing the remediation for CVE-2024-38519. CVE-2026-50574 If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to immediate arbitrary code execution. On non-Windows platforms, this can lead to arbitrary code execution upon the next invocation of yt-dlp. For mageia 9 we import yt-dlp-ejs to ensure the application still works.

References

- https://bugs.mageia.org/show_bug.cgi?id=35739

- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj

- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-c6mh-fpjc-4pr3

- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-vx4q-3cr2-7cg2

- https://www.cve.org/CVERecord?id=CVE-2026-50019

- https://www.cve.org/CVERecord?id=CVE-2026-50023

- https://www.cve.org/CVERecord?id=CVE-2026-50574

Resolution

SRPMS

- 10/core/yt-dlp-2026.06.09-1.mga10

- 9/core/yt-dlp-2026.06.09-1.1.mga9

- 9/core/yt-dlp-ejs-0.8.0-1.mga9

Severity
important
Lowest
Low
Medium
High
Critical

Publication date: 04 Jul 2026 
URL: https://advisories.mageia.org/MGASA-2026-0234.html
Type: security
CVE: CVE-2026-50019, CVE-2026-50023, CVE-2026-50574

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here