Vulnerability Details CVE-2025-66203
StreamVault is a video download integration solution. Prior to version 251126, a Remote Code Execution (RCE) vulnerability exists in the stream-vault application (SpiritApplication). The application allows administrators to configure yt-dlp arguments via the /admin/api/saveConfig endpoint without sufficient validation. These arguments are stored globally and subsequently used in YtDlpUtil.java when constructing the command line to execute yt-dlp. This issue has been patched in version 251126.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 59.6%
CVSS Severity
CVSS v3 Score 9.9
References
Products affected by CVE-2025-66203
-
cpe:2.3:a:lemon8866:streamvault:250410
-
cpe:2.3:a:lemon8866:streamvault:250411
-
cpe:2.3:a:lemon8866:streamvault:250415
-
cpe:2.3:a:lemon8866:streamvault:250417
-
cpe:2.3:a:lemon8866:streamvault:250417.2
-
cpe:2.3:a:lemon8866:streamvault:250428
-
cpe:2.3:a:lemon8866:streamvault:250507
-
cpe:2.3:a:lemon8866:streamvault:250630
-
cpe:2.3:a:lemon8866:streamvault:250704
-
cpe:2.3:a:lemon8866:streamvault:250710
-
cpe:2.3:a:lemon8866:streamvault:250717
-
cpe:2.3:a:lemon8866:streamvault:250721
-
cpe:2.3:a:lemon8866:streamvault:250724
-
cpe:2.3:a:lemon8866:streamvault:250731
-
cpe:2.3:a:lemon8866:streamvault:250801
-
cpe:2.3:a:lemon8866:streamvault:250815
-
cpe:2.3:a:lemon8866:streamvault:250818
-
cpe:2.3:a:lemon8866:streamvault:250821
-
cpe:2.3:a:lemon8866:streamvault:250822
-
cpe:2.3:a:lemon8866:streamvault:250826
-
cpe:2.3:a:lemon8866:streamvault:250905
-
cpe:2.3:a:lemon8866:streamvault:250922
-
cpe:2.3:a:lemon8866:streamvault:250923
-
cpe:2.3:a:lemon8866:streamvault:250928
-
cpe:2.3:a:lemon8866:streamvault:251011
-
cpe:2.3:a:lemon8866:streamvault:251013
-
cpe:2.3:a:lemon8866:streamvault:251017
-
cpe:2.3:a:lemon8866:streamvault:251028
-
cpe:2.3:a:lemon8866:streamvault:251118