CVE-2026-6219
aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection
CVSS Score
5.3
EPSS Score
0.2%
EPSS Percentile
39th
A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
| CWE | CWE-77 CWE-74 |
| Vendor | aandrew-me |
| Product | ytdownloader |
| Published | Apr 13, 2026 |
| Last Updated | Apr 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for aandrew-me ytdownloader
Be the first to know when new medium vulnerabilities affecting aandrew-me ytdownloader are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
aandrew-me / ytDownloader
3.20.0 3.20.1 3.20.2
References
vuldb.com: https://vuldb.com/vuln/357140 vuldb.com: https://vuldb.com/vuln/357140/cti vuldb.com: https://vuldb.com/submit/785843 vuldb.com: https://vuldb.com/submit/785844 gist.github.com: https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1 github.com: https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4
Credits
๐ ngocnn97 (VulDB User) VulDB CNA Team