yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's "--netrc-cmd" command-line option (or "netrc_cmd" Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses "--netrc-cmd" in their command/configuration or "netrc_cmd" in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without "--netrc-cmd" in their arguments or "netrc_cmd" in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the "--netrc-cmd" command-line option (or "netrc_cmd" Python API parameter), or they should at least not pass a placeholder ("{}") in their "--netrc-cmd" argument.