yt-dlp CVE-2026-26331 Arbitrary Command Injection via --netrc-cmd

Thinking Process: 1. Analyze the Request: Task: Translate a Chinese vulnerability intelligence summary to English. Role: Professional translator specializing in cybersecurity. Constraint 1: Maintain all Markdown formatting intact. Constraint 2: Do not add any introductory or concluding remarks. Input: A structured text containing vulnerability details (Key Information, Vulnerability Overview, Details, References) about a specific CVE (CVE-2026-26331) affecting yt-dlp. 2. Analyze the Input Text: Header: (Key Information) Section 1: (Vulnerability Overview) Items: Type, Affected Versions, Fixed Version, CVE ID, CVSS Score. Section 2: (Vulnerability Details) Items: Description, Impact, Patch, Workaround. Section 3: (Detailed Information) Bullet points explaining the technical mechanism. Section 4: (References) Links to GHSA, CVE, Release Tag. 3. Translation Strategy (Cybersecurity Context): Terminology: Ensure standard cybersecurity terms are used (e.g., "Arbitrary Command Injection", "Affected Versions", "CVSS Base Score", "Workaround", "Extractor", "Shell", "HTTP Redirect"). Tone: Professional, precise, objective. Formatting: Keep headers ( , ), lists ( ), bold text ( ), and code blocks/inline code (` ` 任意命令注入 受影响版本 已修复版本 CVSS v3 基准分 漏洞详情 描述 影响 补丁 变通方法 详细信息 参考 提取器 占位符 通配符 关键信息 Key Information 漏洞概述 Vulnerability Overview - 漏洞类型: 任意命令注入 - Vulnerability Type: Arbitrary Command Injection - 受影响版本: - Affected Versions: - 已修复版本: - Fixed Versions: - CVE ID: CVE-2026-26331 - CVE ID: CVE-2026-26331 - CVSS v3 基准分: 8.8 / 10 - CVSS v3 Base Score: 8.8 / 10 漏洞详情 Vulnerability Details - 描述: 在使用 命令行选项（或 Python API 参数）时，攻击者可以通过恶意构造的 URL 在用户系统上实现任意命令注入。 - Description: When using the command-line option (or Python API parameter), attackers can achieve arbitrary command injection on the user's system via maliciously crafted URLs. - 影响: 任何在其命令/配置或脚本中使用 的用户将直接受到影响。尽管恶意 URL 本身可能显得可疑，攻击者仍可通过 HTTP 重定向进行隐蔽攻击。 - Impact: Any user utilizing in their commands, configurations, or scripts will be directly affected. Although malicious URLs may appear suspicious, attackers can still conduct covert attacks via HTTP redirects. - 补丁: yt-dlp 2026.02.21 版本通过验证所有 "machine" 值并在遇到意外输入时抛出错误修复此问题。 - Patch: yt-dlp version 2026.02.21 fixes this issue by validating all "machine" values and throwing an error upon encountering unexpected input. - 变通方法: 尽快升级至 yt-dlp 2026.02.21 版本，或避免使用 命令行选项（或 参数），至少不要在 参数中传递占位符 。 - Workaround: Upgrade to yt-dlp version 2026.02.21 as soon as possible, or avoid using the command-line option (or parameter). At a minimum, do not pass the placeholder within the parameter. 详细信息 Technical Details - 选项用于运行任意命令检索站点登录凭证，无需将凭证存储为纯文本。如果参数中包含占位符 ，将被 值替换，可能导致特殊字符在宿主 Shell 中被误解析。 - The option is used to run arbitrary commands to retrieve site login credentials without storing credentials as plain text. If the parameter contains the placeholder , it will be replaced by the value, which may cause special characters to be misinterpreted by the host Shell. - 在 yt-dlp 的四个提取器中，当 值需从站点主机名动态获取时，如果允许通配符匹配一个或多个子域名，将会导致 值中包含特殊 Shell 字符。 - In four of yt-dlp's extractors, when the value needs to be dynamically retrieved from the site hostname, allowing wildcards to match one or more subdomains can result in the value containing special Shell characters. - 虽然只有 3 个提取器直接易受攻击，但 提取器会跟随 HTTP 重定向，因此可能导致任意 URL 最终与易受攻击的提取器匹配。 - Although only 3 extractors are directly vulnerable, the extractor follows HTTP redirects, which may cause arbitrary URLs to eventually match a vulnerable extractor. 参考 References - GHSA: ... - GHSA: ... - CVE Detail: ... - CVE Detail: ... - Release Tag: ... - Release Tag: ... --netrc-cmd 详细信息 详细信息 Technical Details Detailed Information Technical Details 变通方法 宿主 Shell 提取器 通配符 基准分 2026.02.21 Key Key 详细信息 关键信息 Key Information 漏洞概述 Vulnerability Overview 漏洞详情 Vulnerability Details {} --netrc-cmd {} --netrc-cmd 变通方法 CVSS v3 基准分 CVSS v3 Base Score 受影响版本 Affected Versions 已修复版本 Fixed Versions >=2023.06.21, =2026.02.21 --netrc-cmd netrc_cmd --netrc-cmd netrc --netrc-cmd netrc_cmd {} --netrc-cmd --netrc-cmd {} netrc "machine" netrc "machine" netrc "machine" generic 详细信息 宿主 Shell 特殊 Shell 字符 提取器 通配符 Workaround --netrc-cmd {} {} --netrc-cmd {} Patch Impact - ` >=2023.06.21, =2026.02.21 --netrc-cmd netrc_cmd --netrc-cmd` in their commands, configurations, or scripts will be directly affected. Although malicious URLs may appear suspicious, attackers can still conduct covert attacks

Goal Reached Thanks to every supporter — we hit 100%!

yt-dlp CVE-2026-26331 Arbitrary Command Injection via --netrc-cmd

More from this source