python · yt-dlpCritical
yt-dlp --exec command injection via unsafe string formatting
yt-dlp's --exec option allowed arbitrary command injection through unsafe string formatting conversions (%()s, %()a, %()r, %()j, %()S) on untrusted metadata.
What changed
yt-dlp's --exec option allowed arbitrary command injection through unsafe string formatting conversions (%()s, %()a, %()r, %()j, %()S) on untrusted metadata. Fixed in version 2026.06.09 by restricting allowed conversions to safe ones.
Who it affects
Users who pass an --exec command template containing unsafe conversions (%()s, %()a, %()r, %()j, %()S) in their yt-dlp command or configuration file.
What to do today
Upgrade yt-dlp to version 2026.06.09 or later. Alternatively, ensure only safe conversions (%()d, %()i, %()f, %()q) are used in --exec templates, or avoid using --exec with output template syntax.
The trail
Collected→
Audited→
Written→
Published
Source
GitHub Advisory · yt-dlp