Vendor
An arbitrary file write vulnerability (CVE-2026-50158) in the `caption-download` MCP tool of the yutu application allows a local attacker, or any process able to reach the unauthenticated HTTP MCP server, to bypass the `YUTU_ROOT` confinement and write arbitrary content to any path writable by the yutu process, leading to potential persistent code execution, privilege escalation, or denial of service.