{
  "schema_version": "1.7.0",
  "id": "MGASA-2026-0234",
  "published": "2026-07-04T06:38:35Z",
  "modified": "2026-07-04T05:50:06Z",
  "summary": "Updated yt-dlp packages fix security vulnerabilities",
  "details": "CVE-2026-50019 If curl is used as an external downloader for yt-dlp,\ncookies may be leaked to an unintended host upon HTTP redirect or when\nthe host for download fragments differs from their parent manifest's.\nCVE-2026-50023 A vulnerability exists in yt-dlp that allows a remote\nattacker to write arbitrary OS-shortcut files (such as .desktop, .url,\n.webloc) to the user's filesystem, bypassing the remediation for\nCVE-2024-38519.\nCVE-2026-50574 If aria2c is used as an external downloader for a\nfragmented manifest format (such as an HLS/DASH stream), yt-dlp passes\ninsufficiently sanitized input to aria2c that allows an attacker to\nperform an arbitrary file write. On Windows platforms, this can lead to\nimmediate arbitrary code execution. On non-Windows platforms, this can\nlead to arbitrary code execution upon the next invocation of yt-dlp.\nFor mageia 9 we import yt-dlp-ejs to ensure the application still works.\n",
  "upstream": [
    "CVE-2026-50019",
    "CVE-2026-50023",
    "CVE-2026-50574"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2026-0234.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=35739"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-f7j3-774f-rfhj"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-c6mh-fpjc-4pr3"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-vx4q-3cr2-7cg2"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:10",
        "name": "yt-dlp",
        "purl": "pkg:rpm/mageia/yt-dlp?arch=source&distro=mageia-10"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.06.09-1.mga10"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "yt-dlp",
        "purl": "pkg:rpm/mageia/yt-dlp?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.06.09-1.1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    },
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "yt-dlp-ejs",
        "purl": "pkg:rpm/mageia/yt-dlp-ejs?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}
