CVE-2025-66203

Published: Dec 27, 2025Modified: Mar 9, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: NVD

Description

StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.

Affected (1)

Products: Lemon8866: Streamvault

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Lemon8866 Streamvault	Before 251126

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (2)

https://github.com/lemon8866/StreamVault/releases/tag/251226

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/lemon8866/StreamVault/security/advisories/GHSA-c747-q388-3v6m

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.