Advisories ยป MGASA-2026-0234

Updated yt-dlp packages fix security vulnerabilities

Publication date: 04 Jul 2026
Modification date: 04 Jul 2026
Type: security
Affected Mageia releases : 10 , 9
CVE: CVE-2026-50019 , CVE-2026-50023 , CVE-2026-50574

Description

CVE-2026-50019 If curl is used as an external downloader for yt-dlp,
cookies may be leaked to an unintended host upon HTTP redirect or when
the host for download fragments differs from their parent manifest's.
CVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote
attacker to write arbitrary OS-shortcut files (such as .desktop, .url,
.webloc) to the user's filesystem, bypassing the remediation for
CVE-2024-38519.
CVE-2026-50574 If aria2c is used as an external downloader for a
fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes
insufficiently sanitized input to aria2c that allows an attacker to
perform an arbitrary file write. On Windows platforms, this can lead to
immediate arbitrary code execution. On non-Windows platforms, this can
lead to arbitrary code execution upon the next invocation of yt-dlp.
For mageia 9 we import yt-dlp-ejs to ensure the application still works.
                

References

SRPMS

10/core

9/core