{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6219", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-13T13:29:29.072Z", "datePublished": "2026-04-13T20:45:24.103Z", "dateUpdated": "2026-04-14T19:37:43.233Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T20:45:24.103Z"}, "title": "aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "aandrew-me", "product": "ytDownloader", "versions": [{"version": "3.20.0", "status": "affected"}, {"version": "3.20.1", "status": "affected"}, {"version": "3.20.2", "status": "affected"}], "modules": ["Compressor Feature"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-13T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-13T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-13T15:44:14.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ngocnn97 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/357140", "name": "VDB-357140 | aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357140/cti", "name": "VDB-357140 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785843", "name": "Submit #785843 | Aandrew-me ytDownloader 3.20.2 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/785844", "name": "Submit #785844 | Aandrew-me ytDownloader 3.20.2 Command Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1", "tags": ["related"]}, {"url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:34:54.318102Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:37:43.233Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6219", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-13T13:29:29.072Z", "datePublished": "2026-04-13T20:45:24.103Z", "dateUpdated": "2026-04-14T19:37:43.233Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-13T20:45:24.103Z"}, "title": "aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "Command Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "aandrew-me", "product": "ytDownloader", "versions": [{"version": "3.20.0", "status": "affected"}, {"version": "3.20.1", "status": "affected"}, {"version": "3.20.2", "status": "affected"}], "modules": ["Compressor Feature"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 5.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 4.3, "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-13T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-13T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-13T15:44:14.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "ngocnn97 (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/357140", "name": "VDB-357140 | aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/357140/cti", "name": "VDB-357140 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/785843", "name": "Submit #785843 | Aandrew-me ytDownloader 3.20.2 Command Injection", "tags": ["third-party-advisory"]}, {"url": "https://vuldb.com/submit/785844", "name": "Submit #785844 | Aandrew-me ytDownloader 3.20.2 Command Injection (Duplicate)", "tags": ["third-party-advisory"]}, {"url": "https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1", "tags": ["related"]}, {"url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4", "tags": ["exploit"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T19:34:54.318102Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T19:35:46.439Z"}, "title": "CISA ADP Vulnrichment"}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure."}], "id": "CVE-2026-6219", "lastModified": "2026-04-13T21:16:32.410", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-13T21:16:32.410", "references": [{"source": "cna@vuldb.com", "url": "https://gist.github.com/ngocnn97/53a9f251d1cb99b1b8033e211407d1b1"}, {"source": "cna@vuldb.com", "url": "https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_Command_Injection_PoC.mp4"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785843"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/785844"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357140"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/357140/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.20.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.20.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.20.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "ytDownloader", "source": "cna", "vendor": "aandrew-me"}, "product": "ytdownloader", "vendor": "aandrew-me"}], "analysis": {"en": {"generated_at": "2026-04-13T22:25:31.506353+00:00", "value": {"mitigation_remediation": ["Upgrade aandrew-me ytDownloader to a version newer than 3.20.2 when a patch is released.", "If no patch is available, restrict local access to the application or disable the Compressor Feature until a successor version is available.", "Monitor system logs for unexpected process creation or execution of commands originating from the Compressor Feature."], "summary": {"action": "Patch", "impact": "Local Command Execution"}, "threat_synthesis": {"affected_systems": "All installations of aandrew-me ytDownloader up to and including version 3.20.2 are affected; the issue resides in the compressor feature and is present in all releases prior to a patch that must be applied.", "description_and_impact": "The vulnerability is a local command injection in the Compressor Feature of aandrew-me ytDownloader, achieved by manipulating the child_process.exec call in src/compressor.js. Attackers with local access can supply crafted input that is passed directly to the shell, leading to arbitrary command execution and full compromise of the affected system. This weakness is classified as OS Command Injection (CWE-77) and input validation flaw (CWE-74).", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate severity. The lack of an EPSS score and absence from the CISA KEV listing suggest that widespread exploitation is not yet documented, but the locally available command injection remains a significant risk for any user who can execute the application. Exploitation requires the attacker to have local user privileges or to compromise the system through another vector that grants local execution."}}}}, "created": "2026-04-14T16:18:10.995661+00:00", "updated": "2026-04-14T16:33:17.920271+00:00", "vendors": ["aandrew-me", "aandrew-me$PRODUCT$ytdownloader"]}