Nixpkgs security tracker

Untriaged

Permalink CVE-2026-6219

5.3 MEDIUM

CVSS version: 3.1
Attack vector (AV):
Attack complexity (AC):
Privileges required (PR):
User interaction (UI):
Scope (S):
Confidentiality impact (C):
Integrity impact (I):
Availability impact (A):

created 22 hours ago

aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

References

VDB-357140 | aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection vdb-entrytechnical-description
VDB-357140 | CTI Indicators (IOB, IOC, TTP, IOA) signaturepermissions-required
Submit #785843 | Aandrew-me ytDownloader 3.20.2 Command Injection third-party-advisory
Submit #785844 | Aandrew-me ytDownloader 3.20.2 Command Injection (Duplicate) third-party-advisory
https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1 related
https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_… exploit

Affected products

ytDownloader

==3.20.1
==3.20.0
==3.20.2

Matching in nixpkgs

pkgs.ytdownloader

Modern GUI video and audio downloader

nixos-unstable 3.19.3
- nixpkgs-unstable 3.19.3
- nixos-unstable-small 3.19.3
nixos-25.11 3.19.3
- nixos-25.11-small 3.19.3
- nixpkgs-25.11-darwin 3.19.3

Package maintainers

@chewblacka John Garcia

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.ytdownloader

Package maintainers