Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file.
AnalysisAI
Arbitrary command execution in IINA media player for macOS versions prior to 1.4.3 allows remote attackers to run shell commands as the logged-in user by tricking the victim into approving an iina://open URL containing malicious mpv_-prefixed parameters. Publicly available exploit code exists and a vendor patch has been released; exploitation requires a single browser protocol prompt approval (UI:A) but no authentication and no valid media file.
Technical ContextAI
IINA is a popular open-source media player for macOS built as a front-end around the mpv playback engine (cpe:2.3:a:iina:iina). The vulnerability resides in IINA's iina://open custom URL scheme handler, which accepted attacker-controlled query parameters prefixed with mpv_ and forwarded them as mpv_options and input-commands directly into the underlying mpv runtime without validation. This is a textbook CWE-88 (Argument Injection / Improper Neutralization of Argument Delimiters), where injecting mpv command-line options or input commands allows the attacker to leverage mpv's rich scripting/command surface to execute arbitrary shell commands in the context of the current macOS user.
RemediationAI
Upgrade IINA to version 1.4.3 or later, which contains the upstream fix in commit 1e6f43248dab9d6ae303781c790e5315cbc9fcef (https://github.com/iina/iina/releases/tag/v1.4.3); this is the primary and recommended remediation. As a compensating control until the update is applied, users and administrators can unregister or remove IINA as the default handler for the iina:// URL scheme so that browsers no longer offer to launch it - on managed macOS fleets this can be enforced by removing the LSHandlerURLScheme entry for iina from Launch Services or by deploying a configuration profile that suppresses the protocol-handler prompt; the side effect is that legitimate iina:// links (used by some third-party browser extensions and playlist tools) will stop working. Users should also be reminded not to approve browser prompts to open IINA from untrusted pages while running an unpatched version. Refer to the VulnCheck advisory (https://www.vulncheck.com/advisories/iina-command-execution-via-iina-open-url-scheme) and the technical write-up at https://binary.stackpointer.re/iina-142-url-scheme-command-execution for additional context.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31331
GHSA-55r7-xx3w-x2wf