CVE-2026-6218 PUBLISHED

A vulnerability was found in aandrew-me ytDownloader up to 3.20.2. Affected by this issue is the function createTextNode of the component Error Details Panel. The manipulation results in cross site scripting. The attack may be performed from remote. The vendor was contacted early about this disclosure.

• ngocnn97 (VulDB User) reporter
• VulDB CNA Team coordinator

• VDB-357139 | aandrew-me ytDownloader Error Details Panel createTextNode cross site scripting
• VDB-357139 | CTI Indicators (IOB, IOC, TTP, IOA)
• Submit #785842 | Aandrew-me ytDownloader 3.20.2 Remote code execution via DOM XSS
• https://github.com/ngocnn97/security-advisories/blob/main/YtDownloader_XSS_To_RCE_PoC.mp4

• Cross Site Scripting CWE
• Code Injection CWE