CVE-2026-50019

• Release: https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09 https://github.com/yt-dlp/yt-dlp#release-files
• Github/Documentation: https://github.com/yt-dlp/yt-dlp#readme
• PyPI: https://pypi.org/project/yt-dlp
• Donate: Maintainers.md

Changelog

Important changes

• The minimum supported versions of Deno, Node, and Bun have been raised. The minimum required version of Deno is now v2.3.0; supported Node versions are v22 and up; Bun support has been deprecated and limited to versions 1.2.11 through 1.3.14.
• Security
  • Usage of vulnerable conversions (e.g. %()s) with the --exec option is an all-too-common pitfall. To remedy this, --exec now only allows safe conversions in its command templates.
    • Most users can simply replace %(...)s with %(...)q in their --exec argument(s). Numeric conversions are unaffected by this change. Using unsafe conversions with --exec poses a significant security risk. Read more
  • [CVE-2026-50019] File Downloader cookie leak with curl
    • Impact is limited to users of --downloader curl; cookies are now properly passed to curl so that it respects their scope
  • [CVE-2026-50023] Dangerous file type creation via insufficient filename sanitization
    • Writing files with the extensions .desktop, .url, or .webloc is now only allowed in the context of --write-link functionality
  • [CVE-2026-50574] Arbitrary code execution via manifest downloads with aria2c
    • Impact is limited to users of --downloader aria2c
    • Support for downloading HLS and DASH formats with aria2c has been removed. Users affected by this change should migrate to use -N for concurrent fragment downloads via the native downloader

Core changes

• Add lockfile and pinned extras (#16421) by bashonly, Grub4K (With fixes in 88c8a68 by bashonly)
• Fix default extra for ios platforms (#16376) by bashonly
• Remove url, desktop and webloc from safe extensions by Grub4K
• update: Bump GitHub REST API version to 2026-03-10 (#16435) by bashonly
• utils
  • random user agent
    • Bump version range 137-143 => 142-148 (#16588) by dlp-bot
    • Bump version range 142-148 => 143-149 (#16906) by dlp-bot

Extractor changes

• Extract supplemental codecs from DASH manifests (#16827) by chrisellsworth
• resolve nuxt array: Handle Pinia skipHydrate (#16447) by doe1080
• abematv: Extract subtitles (#16502) by garret1317
• ard: Support new ardsounds domain (#16381) by evilpie
• bandcamp: weekly: Fix extractor (#16373) by bashonly
• iwara: Fix extractors (#16014) by vpertys
• monstercat: Support older URLs (#16780) by AnAwesomGuy
• onsen: Fix extraction (#16830) by doe1080
• pornhub: Support browser impersonation (#16794) by 0xvd
• reddit: Fix unauthenticated extraction (#16839) by 0xvd, bashonly, jdesgats
• rtp: Support multi-part episodes and --no-playlist (#16299) by bashonly
• s4c: Extract more metadata (#16813) by Suntooth
• soop: Adapt extractors to new domain (#16436) by thematuu
• soundcloud
  • Improve error handling (#16602) by bashonly
  • Support --extractor-retries for original formats (#16690) by HarmfulBreeze
• thisoldhouse: Fix extractor (#16909) by bashonly, dirkf
• twitch
  • Remove dead rechat subtitles (#16660) by kasper93
  • clips: Fix extractor (#16466) by Ventriduct
• twitter: Fix view count extraction (#16814) by MemoKing34
• wikimedia: Rework extractor (#15413) by seproDev
• youtube
  • Drop support for bun<1.2.11 and bun>1.3.14 (#16786) by bashonly
  • Drop support for deno<2.3.0 (#16788) by bashonly
  • Drop support for node<22 (#16787) by bashonly
  • Fix PO token sanitization for Python 3.15 (#16884) by Grub4K
  • Fix PO token sanitization for Python>=3.14.4 (#16453) by syphyr
  • Fix outdated quickjs-ng warning (#16437) by bashonly

Downloader changes

• external
  • aria2c: Remove support for m3u8/dash protocols by bashonly
  • curl: Fix cookie leak on redirect by Grub4K
• ffmpeg: Use info dict http headers for direct merge downloads (#15456) by bashonly

Postprocessor changes

• exec: Restrict --exec template usage to safe conversions (#16883) by bashonly
• ffmpegmetadata: Avoid erroneous ISO 639 conversions (#16046) by bashonly

Networking changes

• Request Handler
  • curl cffi
    • Add actual reason to response (#16818) by antorlovsky
    • Fix supported impersonate targets (#16440) by bashonly
    • Support curl cffi 0.15.x (#16429) by bashonly

Misc. changes

• build
  • Harden build/release workflows (#16358) by bashonly, Grub4K (With fixes in cdc465a by bashonly)
  • Harden release workflow (#16444) by bashonly
  • Rename requirements files to clean up dependency graph (#16740) by bashonly
  • Update 12 dependencies (#16903) by dlp-bot
  • Update 14 dependencies (#16589) by dlp-bot
  • Update 28 dependencies (#16467) by bashonly
  • Upgrade all Linux binaries to Python 3.14 (#16738) by bashonly
• ci
  • Bump pytest to 9.x (#16470) by bashonly, Grub4K
  • Test with Python 3.15 (#16896) by bashonly
  • Update 2 actions in 2 workflows (#16743) by dlp-bot
  • Update 3 actions in 9 workflows (#16782) by dlp-bot
  • Update 8 actions in 7 workflows (#16384) by bashonly
  • Update wiki via this repository (#16446) by bashonly (With fixes in 9f0fc9a)
• cleanup
  • Remove dead extractors (#16137) by bashonly, doe1080
  • Miscellaneous
    • 35684c1, 3a12be7 by bashonly
    • 821bef0 by bashonly, Grub4K
• devscripts
  • Handle ejs updates for requirements files (#16374) by bashonly, Grub4K
  • update requirements: Add reporting functionality (#16454) by bashonly, Grub4K
• docs: Update badges (#14893) by seproDev
• test: Add default and curl-cffi extras to hatch-test env (#16397) by JSubelj

To update to nightly from the executable/binary:

To install/upgrade to nightly with pip:

To install nightly with pipx:

To upgrade to the latest nightly with pipx:

To install from master with homebrew:

To upgrade to latest master with homebrew if you've already installed with --HEAD: