openSUSE yt-dlp Important Cookie Leakage Code Execution 2026-21163-1
opensuse
June 30, 2026
An update that solves 3 vulnerabilities can now be installed.
Description
This update for yt-dlp fixes the following issues:
Changes in yt-dlp:
- Update to version 2026.06.09
* Fixed [CVE-2026-50019]: File Downloader cookie leak with curl
* Fixed [CVE-2026-50023]: Dangerous file type creation via
insufficient filename sanitization
* Fixed [CVE-2026-50574]: Arbitrary code execution via manifest
downloads with aria2c
* Added lockfile and pinned extras
* Removed url, desktop and webloc from safe extensions
* Extract supplemental codecs from DASH manifests
* abematv: Extract subtitles
* ard: Support new ardsounds domain
* monstercat: Support older URLs
* pornhub: Support browser impersonation
* reddit: Fix unauthenticated extraction
* rtp: Support multi-part episodes and --no-playlist
* s4c: Extract more metadata
* soop: Adapt extractors to new domain
* soundcloud: Support --extractor-retries for original formats
* twitch: Remove dead rechat subtitles
* twitter: Fix view_count extraction
* external: aria2c: Remove...
Read the Full Advisory
Topics Covered
Patch
Package List
- openSUSE Leap 16.0:
python313-yt-dlp-2026.06.09-bp160.1.1
yt-dlp-2026.06.09-bp160.1.1
yt-dlp-youtube-dl-2026.06.09-bp160.1.1
References
* https://www.suse.com/security/cve/CVE-2026-50019.html
* https://www.suse.com/security/cve/CVE-2026-50023.html
* https://www.suse.com/security/cve/CVE-2026-50574.html
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Announcement ID: openSUSE-SU-2026:21163-1
Rating: important
Affected Products:
openSUSE Leap 16.0
-------------------------------------------------------------
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!