CVE-2026-6219

EUVD-2026-22118
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1
https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4
https://vuldb.com/submit/785843
https://vuldb.com/submit/785844
https://vuldb.com/vuln/357140
https://vuldb.com/vuln/357140/cti