Description
IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file.
Published: 2026-05-21
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IINA, a media player for macOS, contains a user-assisted command execution vulnerability that allows an attacker to craft an iina://open URL with malicious mpv_-prefixed query parameters such as mpv_options or input-commands, which the player then passes unverified to the mpv runtime when the browser prompts the user to open the protocol, enabling arbitrary code to run as the current macOS user; this flaw is classified as CWE‑88 and can lead to full remote code execution.

Affected Systems

All installations of IINA on macOS that use the iina://open URL scheme and are earlier than version 1.4.3 are affected, as the product vendor iina:iina has not yet removed the unsafe handling of mpv options in the URL scheme handler.

Risk and Exploitability

The CVSS base score of 8.6 indicates a high severity issue; EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalogue, suggesting limited or no widespread exploitation to date; however, exploitation requires the victim to approve a browser protocol prompt, making it a user‑interaction attack that can still be delivered by phishing or social engineering, and the combined factors imply a high risk for exposed users who are not updated.

Generated by OpenCVE AI on May 21, 2026 at 20:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update IINA to version 1.4.3 or later, which removes the unsafe URL‑scheme handling.
  • If an update cannot be applied immediately, disable or block the iina://open protocol in browsers so that malicious URLs cannot trigger the player.
  • Avoid clicking on unknown iina:// links in emails, messages, or webpages until the vulnerability is patched.

Generated by OpenCVE AI on May 21, 2026 at 20:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file.
Title IINA < 1.4.3 Command Execution via iina://open URL Scheme
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-21T19:36:05.859Z

Reserved: 2026-05-18T19:22:26.749Z

Link: CVE-2026-47114

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-21T20:16:14.340

Modified: 2026-05-21T21:03:56.320

Link: CVE-2026-47114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T20:30:18Z

Weaknesses