{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/iina--1.4.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-47114"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["IINA (\u003c 1.4.3)"],"_cs_severities":["high"],"_cs_tags":["command execution","custom url scheme","macos","CVE-2026-47114"],"_cs_type":"advisory","_cs_vendors":["IINA"],"content_html":"\u003cp\u003eIINA before version 1.4.3 is susceptible to a user-assisted command execution vulnerability (CVE-2026-47114). This flaw enables remote attackers to execute arbitrary commands on a targeted macOS system. The attack vector involves crafting a malicious URL that exploits the iina://open custom URL scheme. Specifically, the vulnerability stems from the improper handling of \u003ccode\u003empv_options\u003c/code\u003e and \u003ccode\u003einput-commands\u003c/code\u003e parameters passed to the underlying \u003ccode\u003empv\u003c/code\u003e runtime. An attacker can deliver a crafted URL, typically through a web browser. When the user approves the browser\u0026rsquo;s prompt to open the URL with IINA, the specially crafted parameters are passed to the \u003ccode\u003empv\u003c/code\u003e runtime, leading to arbitrary command execution with the privileges of the current macOS user. A valid media file is not required for exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious URL using the \u003ccode\u003eiina://open\u003c/code\u003e scheme, embedding harmful commands within \u003ccode\u003empv_options\u003c/code\u003e or \u003ccode\u003einput-commands\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe crafted URL is delivered to the victim, typically through a link in a website or email.\u003c/li\u003e\n\u003cli\u003eThe victim clicks on the malicious URL, triggering a browser prompt asking for permission to open the URL with IINA.\u003c/li\u003e\n\u003cli\u003eThe user approves the browser protocol prompt.\u003c/li\u003e\n\u003cli\u003eIINA receives the URL and passes the \u003ccode\u003empv_options\u003c/code\u003e and \u003ccode\u003einput-commands\u003c/code\u003e parameters to the \u003ccode\u003empv\u003c/code\u003e runtime.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003empv\u003c/code\u003e runtime executes the attacker-supplied commands.\u003c/li\u003e\n\u003cli\u003eArbitrary commands are executed on the macOS system with the privileges of the user running IINA.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution, potentially leading to system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary commands on the victim\u0026rsquo;s macOS system with the privileges of the user running IINA. This can result in data theft, malware installation, or complete system compromise. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade IINA to version 1.4.3 or later to patch CVE-2026-47114.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eEducate users to be cautious when opening URLs, especially those using custom URL schemes, and to carefully review the prompt before granting permission.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on macOS for processes spawned by IINA with unusual command-line arguments, using the process_creation rule provided below.\u003c/li\u003e\n\u003cli\u003eImplement network connection monitoring to detect any suspicious outbound connections originating from IINA after potential command execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T20:18:33Z","date_published":"2026-05-21T20:18:33Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-47114-iina-command-exec/","summary":"IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler.","title":"CVE-2026-47114 - IINA Command Execution Vulnerability via Custom URL Scheme","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-47114-iina-command-exec/"}],"language":"en","title":"CraftedSignal Threat Feed — IINA (\u003c 1.4.3)","version":"https://jsonfeed.org/version/1.1"}