IINA (< 1.4.3) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/iina--1.4.3/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 21 May 2026 20:18:33 +0000CVE-2026-47114 - IINA Command Execution Vulnerability via Custom URL Schemehttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-47114-iina-command-exec/Thu, 21 May 2026 20:18:33 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-47114-iina-command-exec/IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler.IINA before version 1.4.3 is susceptible to a user-assisted command execution vulnerability (CVE-2026-47114). This flaw enables remote attackers to execute arbitrary commands on a targeted macOS system. The attack vector involves crafting a malicious URL that exploits the iina://open custom URL scheme. Specifically, the vulnerability stems from the improper handling of mpv_options and input-commands parameters passed to the underlying mpv runtime. An attacker can deliver a crafted URL, typically through a web browser. When the user approves the browser’s prompt to open the URL with IINA, the specially crafted parameters are passed to the mpv runtime, leading to arbitrary command execution with the privileges of the current macOS user. A valid media file is not required for exploitation.

Attack Chain

  1. Attacker crafts a malicious URL using the iina://open scheme, embedding harmful commands within mpv_options or input-commands parameters.
  2. The crafted URL is delivered to the victim, typically through a link in a website or email.
  3. The victim clicks on the malicious URL, triggering a browser prompt asking for permission to open the URL with IINA.
  4. The user approves the browser protocol prompt.
  5. IINA receives the URL and passes the mpv_options and input-commands parameters to the mpv runtime.
  6. The mpv runtime executes the attacker-supplied commands.
  7. Arbitrary commands are executed on the macOS system with the privileges of the user running IINA.
  8. The attacker achieves code execution, potentially leading to system compromise.

Impact

Successful exploitation allows an attacker to execute arbitrary commands on the victim’s macOS system with the privileges of the user running IINA. This can result in data theft, malware installation, or complete system compromise. The CVSS v3.1 base score for this vulnerability is 8.8, indicating a high severity.

Recommendation

  • Upgrade IINA to version 1.4.3 or later to patch CVE-2026-47114.
  • Deploy the Sigma rules provided below to detect potential exploitation attempts.
  • Educate users to be cautious when opening URLs, especially those using custom URL schemes, and to carefully review the prompt before granting permission.
  • Monitor process creation events on macOS for processes spawned by IINA with unusual command-line arguments, using the process_creation rule provided below.
  • Implement network connection monitoring to detect any suspicious outbound connections originating from IINA after potential command execution.
]]>highadvisorycommand executioncustom url schememacosCVE-2026-47114