CVE-2025-66203 – StreamVault is Vulnerable to Authenticated Remote Code Execution (RCE) via ytdlpargs Configuration Injection

CVE ID : CVE-2025-66203

Published : Dec. 26, 2025, 11:37 p.m. | 45 minutes ago

Description : StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…