Unrated severityOSV Advisory· Published Dec 26, 2025· Updated Dec 29, 2025

StreamVault is Vulnerable to Authenticated Remote Code Execution (RCE) via ytdlpargs Configuration Injection

CVE-2025-66203

Description

StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.

Affected products

Lemon8866/StreamvaultOSV
Range: 251118

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/lemon8866/StreamVault/releases/tag/251226mitrex_refsource_MISC
github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6mmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000