CVE-2026-6219 MEDIUM

CVE-2026-6219: aandrew-me ytDownloader Compressor Feature compressor.js child_process.exec command injection

Vendor Aandrew-Me
Product ytDownloader
Weakness CWE-77
Published April 13, 2026
Last update April 14, 2026

CVSS base score

4.8/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Key dates

02Disclosure timeline

April 13, 2026 CVE published
April 14, 2026 Record updated