Description
Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.
Published: 2026-05-27
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Streamlink, a command‑line utility that forwards video streams from many services to a player, has a flaw that allows a remote attacker to cause the client to read arbitrary local files. The HLS and DASH parsers fail to validate the URI scheme of segment entries; a malicious playlist or manifest can embed a file:///path as a segment, leading Streamlink to open and stream that local file. This results in a local file read with the permissions of the user running Streamlink, exposing potentially confidential data. The vulnerability is a classic instance of CWE‑22, where an attacker controls input that bypasses intended security checks on filesystem paths.

Affected Systems

All versions of Streamlink prior to 8.4.0 are affected, regardless of the operating system. The issue is product‑wide and applies to the standard command‑line client, not just specific distribution packages.

Risk and Exploitability

The flaw scores a CVSS of 6.5 and currently has no EPSS value; it is not listed in the CISA KEV catalog. An attacker who can supply a crafted .m3u8 or .mpd via a remote HTTP or HTTPS source can trigger the vulnerability. The attack requires the target to run Streamlink and fetch the malicious playlist, after which the local file is read and streamed outward. Because the read occurs locally, the attack presents a moderate risk level but can expose sensitive files depending on user privileges.

Generated by OpenCVE AI on May 27, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to Streamlink 8.4.0 or newer, which validates the URI scheme and removes the vulnerability.
  • If updating immediately is not possible, run Streamlink under an account or in a container with minimal filesystem permissions to limit access to sensitive files.
  • Whitelist only trusted sources for HLS/DASH playlists or filter incoming manifests to reject any file:// references before processing.

Generated by OpenCVE AI on May 27, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgqw-6m45-hw5f Streamlink has an arbitrary local file read via file:// URI in HLS and DASH
History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.
Title Streamlink: Arbitrary local file read via file:// URI in HLS and DASH
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T17:49:20.696Z

Reserved: 2026-05-05T19:52:59.148Z

Link: CVE-2026-44353

cve-icon Vulnrichment

Updated: 2026-05-27T17:49:16.290Z

cve-icon NVD

Status : Received

Published: 2026-05-27T17:16:38.927

Modified: 2026-05-27T19:16:20.440

Link: CVE-2026-44353

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:15:25Z

Weaknesses