Skip to main content

IINA CVE-2026-47114

| EUVDEUVD-2026-31331 HIGH
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-05-21 VulnCheck GHSA-55r7-xx3w-x2wf
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
May 21, 2026 - 20:30 vuln.today
Analysis Generated
May 21, 2026 - 20:30 vuln.today
CVSS changed
May 21, 2026 - 20:22 NVD
8.8 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file.

AnalysisAI

Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file.

Technical ContextAI

IINA is a popular open-source media player for macOS built as a front-end around the mpv playback engine (cpe:2.3:a:iina:iina). The vulnerability resides in IINA's iina://open custom URL scheme handler, which accepted attacker-controlled query parameters prefixed with mpv_ and forwarded them as mpv_options and input-commands directly into the underlying mpv runtime without validation. This is a textbook CWE-88 (Argument Injection / Improper Neutralization of Argument Delimiters), where injecting mpv command-line options or input commands allows the attacker to leverage mpv's rich scripting/command surface to execute arbitrary shell commands in the context of the current macOS user.

RemediationAI

Upgrade IINA to version 1.4.3 or later, which contains the upstream fix in commit 1e6f43248dab9d6ae303781c790e5315cbc9fcef (https://github.com/iina/iina/releases/tag/v1.4.3); this is the primary and recommended remediation. As a compensating control until the update is applied, users and administrators can unregister or remove IINA as the default handler for the iina:// URL scheme so that browsers no longer offer to launch it - on managed macOS fleets this can be enforced by removing the LSHandlerURLScheme entry for iina from Launch Services or by deploying a configuration profile that suppresses the protocol-handler prompt; the side effect is that legitimate iina:// links (used by some third-party browser extensions and playlist tools) will stop working. Users should also be reminded not to approve browser prompts to open IINA from untrusted pages while running an unpatched version. Refer to the VulnCheck advisory (https://www.vulncheck.com/advisories/iina-command-execution-via-iina-open-url-scheme) and the technical write-up at https://binary.stackpointer.re/iina-142-url-scheme-command-execution for additional context.

Share

CVE-2026-47114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy