CVE-2026-6219
4.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Summary
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| aandrew-me | ytDownloader | 3.20.0 | affected |
| aandrew-me | ytDownloader | 3.20.1 | affected |
| aandrew-me | ytDownloader | 3.20.2 | affected |
Weaknesses
- CWE-77: Command Injection
- CWE-74: Injection
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://vuldb.com/vuln/357140
- https://vuldb.com/vuln/357140/cti
- https://vuldb.com/submit/785843
- https://vuldb.com/submit/785844
- https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1
- https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.