Vulnerabilities ›

CVE-2026-47114

High

CWE-88 — Weakness Type

                    Published: May 21, 2026                      ·  Modified: May 28, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

IINA before 1.4.3 contains a user-assisted command execution vulnerability that allows remote attackers to execute arbitrary commands by supplying malicious mpv_-prefixed query parameters through the iina://open custom URL scheme handler. Attackers can deliver a crafted URL via a browser that passes unvalidated mpv_options/input-commands parameters into the mpv runtime, causing arbitrary command execution as the current macOS user upon approval of the browser protocol prompt without requiring a valid media file.

🤖 AI Executive Summary

IINA media player versions before 1.4.3 contain a critical command execution vulnerability through malicious URL scheme handlers. Attackers can craft URLs with mpv_-prefixed parameters that bypass validation and execute arbitrary commands on macOS systems when users approve browser protocol prompts. This vulnerability requires user interaction but poses significant risk to organizations using IINA for media playback.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 23, 2026 19:54

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily affects Saudi organizations using macOS systems with IINA media player, particularly in: Government agencies and ministries using macOS for media content review; Banking sector employees using IINA for secure media playback; Healthcare institutions managing medical imaging and multimedia content; Educational institutions and research centers; Media and broadcasting companies. The attack vector through URL scheme handlers makes it particularly dangerous in environments where users receive media links via email or messaging platforms. Saudi organizations with BYOD policies and macOS-based workflows face elevated risk.

🏢 Affected Saudi Sectors

Government Banking Healthcare Education Media and Broadcasting Research Institutions

🎯 MITRE ATT&CK Techniques

T1204.001 - User Execution: Malicious Link T1204.002 - User Execution: Malicious File T1559.002 - Inter-Process Communication: Dynamic Data Exchange T1203 - Exploitation for Client Execution T1566.002 - Phishing: Spearphishing Link T1059.004 - Command and Scripting Interpreter: Unix Shell T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Identify all macOS systems with IINA installed using endpoint management tools

2. Disable IINA URL scheme handler support in browser settings until patching is available

3. Implement browser-level restrictions on iina:// protocol handling

4. Educate users to avoid clicking media links from untrusted sources



Patching Guidance:

1. Upgrade IINA to version 1.4.3 or later when available

2. Monitor IINA GitHub releases and security advisories for patch availability

3. Test patches in non-production environments before deployment



Compensating Controls:

1. Implement application whitelisting to restrict IINA execution

2. Use macOS Gatekeeper and notarization verification

3. Deploy endpoint detection and response (EDR) solutions to monitor process execution from IINA

4. Implement network segmentation to limit lateral movement if compromise occurs

5. Monitor system logs for suspicious mpv process spawning with unusual parameters



Detection Rules:

1. Alert on iina:// URL scheme invocations with mpv_ parameters

2. Monitor for mpv process execution with command-line arguments containing shell metacharacters

3. Track IINA process spawning child processes (cmd.exe, bash, sh, zsh)

4. Log all browser protocol handler approvals for iina:// scheme

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع أنظمة macOS المثبت عليها IINA باستخدام أدوات إدارة نقاط النهاية

2. تعطيل دعم معالج مخطط URL الخاص بـ IINA في إعدادات المتصفح حتى يتوفر التصحيح

3. تنفيذ قيود على مستوى المتصفح على معالجة بروتوكول iina://

4. تثقيف المستخدمين لتجنب النقر على روابط الوسائط من مصادر غير موثوقة

إرشادات التصحيح:

1. ترقية IINA إلى الإصدار 1.4.3 أو أحدث عند توفره

2. مراقبة إصدارات IINA GitHub والتنبيهات الأمنية لتوفر التصحيح

3. اختبار التصحيحات في بيئات غير الإنتاج قبل النشر

الضوابط البديلة:

1. تنفيذ قائمة بيضاء للتطبيقات لتقييد تنفيذ IINA

2. استخدام التحقق من Gatekeeper والتصديق على macOS

3. نشر حلول الكشف والاستجابة على نقاط النهاية (EDR) لمراقبة تنفيذ العمليات من IINA

4. تنفيذ تقسيم الشبكة لتحديد الحركة الجانبية في حالة الاختراق

5. مراقبة سجلات النظام للعمليات المريبة لـ mpv مع معاملات غير عادية

قواعد الكشف:

1. التنبيه على استدعاءات مخطط URL iina:// مع معاملات mpv_

2. مراقبة تنفيذ عملية mpv مع معاملات سطر الأوامر تحتوي على أحرف metacharacters

3. تتبع عملية IINA التي تولد عمليات فرعية (cmd.exe, bash, sh, zsh)

4. تسجيل جميع موافقات معالج بروتوكول المتصفح لمخطط iina://

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information security policies and procedures A.6.1.1 - Access control policy A.6.2.1 - User registration and access rights management A.8.1.1 - Asset management policy A.12.2.1 - Restrictions on software installation A.12.4.1 - Event logging A.12.4.3 - Administrator and operator logs A.13.1.1 - Network security perimeter A.14.2.1 - Secure development policy

🔵 SAMA CSF

ID.AM-2 - Software inventory PR.AC-1 - Access control policy PR.AC-3 - Access enforcement PR.AC-6 - Least privilege PR.DS-5 - Encryption and key management PR.PT-1 - Security awareness and training DE.AE-1 - Audit logging DE.CM-1 - System monitoring RS.RP-1 - Response planning

🟡 ISO 27001:2022

A.5.1.1 - Policies for information security A.6.1.1 - Information security roles and responsibilities A.6.2.1 - Information security responsibilities of management A.8.1.1 - Asset management A.12.2.1 - Restrictions on software installation A.12.4.1 - Event logging A.12.6.1 - Management of technical vulnerabilities A.13.1.1 - Network security perimeter A.14.2.1 - Secure development policy

🔗 References & Sources 4

🔗

https://binary.stackpointer.re/iina-142-url-scheme-command-execution

disclosure@vulncheck.com

🔗

https://github.com/iina/iina/commit/1e6f43248dab9d6ae303781c790e5315cbc9fcef

disclosure@vulncheck.com

🔗

https://github.com/iina/iina/releases/tag/v1.4.3

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/iina-command-execution-via-iina-open-url-scheme

disclosure@vulncheck.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-88

EPSS0.17%

Exploit No

Patch ✗ No

Published 2026-05-21

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-88

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-47114

Introduce Yourself

Sign In Required