35183 – yt-dlp new security issue CVE-2026-26331

Bug 35183 - yt-dlp new security issue CVE-2026-26331

Summary: yt-dlp new security issue CVE-2026-26331

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-03-06 15:50 CET by Nicolas Salguero
Modified:	2026-03-10 17:48 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	yt-dlp-2026.02.04-1.mga9.src.rpm
CVE:	CVE-2026-26331
Status comment:	Fixed upstream in 2026.02.21

Flags:	mageia: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-03-06 15:50:33 CET

Fedora has issued an advisory on March 5:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FZD6RY6MTTCCMB2B2JT7NMXNRF6JHIOJ/

Fixed by: https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a (2026.02.21)

Nicolas Salguero 2026-03-06 15:50:56 CET

Source RPM: (none) => yt-dlp-2026.02.04-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 2026.02.21
CVE: (none) => CVE-2026-26331

katnatek 2026-03-07 20:52:33 CET

Assignee: bugsquad => j.alberto.vc

Comment 1 katnatek 2026-03-07 22:15:01 CET

RPMS:

yt-dlp-2026.03.03-1.1.mga9.noarch.rpm
yt-dlp-bash-completion-2026.03.03-1.1.mga9.noarch.rpm
yt-dlp-fish-completion-2026.03.03-1.1.mga9.noarch.rpm
yt-dlp-zsh-completion-2026.03.03-1.1.mga9.noarch.rpm

SRPM:yt-dlp-2026.03.03-1.1.mga9

Status: NEW => ASSIGNED
Assignee: j.alberto.vc => qa-bugs

Comment 2 katnatek 2026-03-08 04:22:14 CET

RH x86_64

installing yt-dlp-bash-completion-2026.03.03-1.1.mga9.noarch.rpm yt-dlp-2026.03.03-1.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/2: yt-dlp                ###################################################################################################
      2/2: yt-dlp-bash-completion
                                 ###################################################################################################
      1/2: removing yt-dlp-2026.02.04-1.mga9.noarch
                                 ###################################################################################################
      2/2: removing yt-dlp-bash-completion-2026.02.04-1.mga9.noarch
                                 ###################################################################################################

Video Downloaded without issue
Looks good

Comment 3 PC LX 2026-03-08 12:35:30 CET

Installed and tested without issues.

Tested:
- on youtube, bitchute, and rumble;
- downloading video+audio and audio only.
All OK.



System: Mageia 9, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.



$ uname -a
Linux jupiter 6.6.120-desktop-1.mga9 #1 SMP PREEMPT_DYNAMIC Wed Jan 14 01:59:53 UTC 2026 x86_64 GNU/Linux
$ rpm -qa | grep yt-dlp | sort
yt-dlp-2026.03.03-1.1.mga9
yt-dlp-bash-completion-2026.03.03-1.1.mga9

CC: (none) => mageia

katnatek 2026-03-09 20:55:53 CET

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK
Keywords: (none) => advisory

Comment 4 PC LX 2026-03-10 09:02:55 CET

Added test_passed_mga9_64 flag.

Flags: (none) => test_passed_mga9_64+

Comment 5 Thomas Andrews 2026-03-10 12:22:52 CET

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2026-03-10 17:48:44 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0054.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.