漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
yt-dlp: Downstream command injection via improper sanitization of yt-dlp --write-link output
Vulnerability Description
yt-dlp and youtube-dl are command-line audio/video downloaders. Prior to 2026.7.4, the --write-link, --write-url-link, and --write-desktop-link options can write .url or .desktop shortcut files using attacker-controlled webpage_url or filename metadata without sufficient validation or escaping, allowing malicious file:// URI injection on Windows or newline-based desktop entry key injection on Linux that can execute commands if the generated shortcut is opened. This issue is fixed in version 2026.7.4.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
yt-dlp 输入验证错误漏洞
Vulnerability Description
yt-dlp是yt-dlp团队的一个视频下载命令行工具。 yt-dlp 2026.7.4之前版本存在输入验证错误漏洞,该漏洞源于--write-link、--write-url-link和--write-desktop-link选项在写入.url或.desktop快捷方式文件时,未对攻击者控制的webpage_url或filename元数据进行充分的验证或转义,可能导致Windows上的恶意file:// URI注入或Linux上基于换行的desktop entry键注入,如果生成的快捷方式被打开,可执行
CVSS Information
N/A
Vulnerability Type
N/A