{“lastseen”:””,”description”:”IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina:\/\/open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options\/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file.”,”published”:”2026-05-21T19:36:05.859Z”,”modified”:”2026-05-21T19:36:05.859Z”,”type”:”cve”,”title”:”IINA \\u003c 1.4.3 Command Execution via iina:\/\/open URL Scheme”,”source”:”VulnCheck”,”references”:”https:\/\/binary.stackpointer.re\/iina-142-url-scheme-command-execution\\nhttps:\/\/github.com\/iina\/iina\/releases\/tag\/v1.4.3\\nhttps:\/\/github.com\/iina\/iina\/commit\/1e6f43248dab9d6ae303781c790e5315cbc9fcef\\nhttps:\/\/www.vulncheck.com\/advisories\/iina-command-execution-via-iina-open-url-scheme”,”id”:”CVE-2026-47114″,”bulletinFamily”:””,”cwe”:[“CWE-88″],”cvelist”:null,”sourceData”:”iina iina 0″,”sourceHref”:””,”cvss”:{“score”:8.6,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:A\/VC:H\/VI:H\/VA:H\/SC:N\/SI:N\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”iina”,”version”:”0″,”vendor”:”iina”,”ai_description”:”Command execution vulnerability via iina:\/\/open URL scheme”,”ai_severity”:”High”,”ai_vendor”:”iina”,”ai_product”:”IINA”,”ai_version”:”\\u003c 1.4.3″,”ai_score”:8.6}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,81,12,15,13,7,11,5],"class_list":["post-56164","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-86","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n