yt-dlp Vulnerability Allows Arbitrary Shortcut File Write (CVE-2024-38519 Bypass)

A vulnerability in yt-dlp allows remote attackers to write arbitrary OS-shortcut files (.desktop, .url, .webloc) to the user's filesystem, bypassing the fix for CVE-2024-38519. The fix in version 2026.06.09 removes these extensions from the global allowlist and restricts them to the --write-link option.

All users of yt-dlp who download media or subtitles, especially those using --write-subs, --write-auto-subs, --embed-subs, --write-thumbnail, --write-all-thumbnails, or --embed-thumbnail options.

Upgrade yt-dlp to version 2026.06.09 immediately. If unable to upgrade, only pass trusted URLs and avoid using the listed options.