Tested on current/amd64 with privsep.

Some security fixes:

Usage of vulnerable conversions (e.g. %()s) with the --exec option is an
all-too-common pitfall. To remedy this, --exec now only allows safe
conversions in its command templates.
o Most users can simply replace %(...)s with %(...)q in their --exec
argument(s). Numeric conversions are unaffected by this change. Using
unsafe conversions with --exec poses a significant security risk.

[CVE-2026-50019] File Downloader cookie leak with curl
o Impact is limited to users of --downloader curl; cookies are now
properly passed to curl so that it respects their scope

[CVE-2026-50023] Dangerous file type creation via insufficient filename
sanitization
o Writing files with the extensions .desktop, .url, or .webloc is now
only allowed in the context of --write-link functionality

[CVE-2026-50574] Arbitrary code execution via manifest downloads with
aria2c
o Impact is limited to users of --downloader aria2c
o Support for downloading HLS and DASH formats with aria2c has been
removed. Users affected by this change should migrate to use -N for
concurrent fragment downloads via the native downloader

Changelog:
https://github.com/yt-dlp/yt-dlp/releases/tag/2026.06.09

Comments, testing, and/or okays welcome.

Hope this helps. May you all have a good one.

• yt-dlp-2026.06.09.diff (107K)