CVE-2026-55404 in yt-dlpinfo

Summary

by MITRE • 07/08/2026

yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The vulnerability affects yt-dlp and youtube-dl command-line tools used for downloading audio and video content from various online platforms. These tools provide functionality to create shortcut files using specific options that can be exploited through insufficient input validation mechanisms. The flaw specifically impacts versions prior to 2026.7.4 where the --write-link, --write-url-link, and --write-desktop-link options fail to properly sanitize user-provided metadata when generating .url or .desktop files. This vulnerability represents a classic case of insecure deserialization and improper input validation that can lead to arbitrary code execution through crafted shortcut files.

The technical implementation of this vulnerability stems from how these tools handle user-supplied webpage_url or filename metadata when creating shortcut files on different operating systems. On Windows systems, the attacker-controlled metadata can be injected into .url files using file:// URI schemes without proper escaping or validation, allowing for path traversal and arbitrary command execution when the malicious shortcut is opened. On Linux systems, newline characters in the metadata can be used to inject additional desktop entry keys into .desktop files, potentially modifying the execution behavior of applications. This type of vulnerability aligns with CWE-74 and CWE-152 which address improper neutralization of special elements used in data queries and insecure deserialization respectively.

The operational impact of this vulnerability extends beyond simple command injection as it creates a persistent threat vector through shortcut files that can be executed by unsuspecting users. When victims open the malicious shortcut files, either manually or through automatic execution mechanisms like Windows Explorer or desktop environments, the system will execute commands as specified in the crafted metadata. This attack vector leverages social engineering aspects where users might trust shortcuts created by seemingly legitimate download tools, making the exploitation more likely to succeed in real-world scenarios.

Mitigation strategies for this vulnerability should focus on input validation and sanitization of all user-provided metadata before creating shortcut files. The fix implemented in version 2026.7.4 includes proper escaping and validation mechanisms that prevent injection attacks by ensuring special characters are properly handled during file generation. Organizations should immediately update to the patched version and implement monitoring for any attempts to create shortcut files using these options with suspicious metadata. Security practitioners should also consider implementing application whitelisting policies and user education about the risks of opening unknown shortcut files, particularly in enterprise environments where these tools may be deployed widely. This vulnerability demonstrates the importance of following secure coding practices as outlined in the ATT&CK framework under T1059 for command and script injection techniques that can be leveraged through seemingly benign file creation operations.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!