CVE-2026-6218

MEDIUM

aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting

Title source: cna

Description

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.

References (4)

[Vdb Entry, Technical Description] https://vuldb.com/vuln/357139

[Signature, Permissions Required] https://vuldb.com/vuln/357139/cti

[Third Party Advisory] https://vuldb.com/submit/785842

[Exploit] https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4

View Exploit ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0003

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Details

CWE

CWE-79 CWE-94

Status published

Products (3)

aandrew-me/ytDownloader 3.20.0

aandrew-me/ytDownloader 3.20.1

aandrew-me/ytDownloader 3.20.2

Published Apr 13, 2026

Tracked Since Apr 14, 2026