iina-142-url-scheme-command-execution

# CVE-2026-47114: IINA < 1.4.3 command execution via `iina://open` **Status:** Public advisory **CVE:** CVE-2026-47114 **Reporter:** stackpointer **Affected product:** IINA for macOS **Confirmed vulnerable version:** IINA 1.4.2 **Affected range:** IINA before 1.4.3 **Fixed version:** IINA 1.4.3 **CWE:** CWE-88, Improper Neutralization of Argument Delimiters in a Command **Severity:** High **CVSS v4.0:** 8.6 **CVSS v3.1:** 8.8 **Discovery date:** 2026-05-16 **Public advisory date:** 2026-05-17 **CVE publication date:** 2026-05-21 ## Summary Before version 1.4.3 of IINA, command execution could be achieved via: combining `iina://open` with `mpv_options/input-commands` leading to the creation of urls that can run commands. ## Impact The issue allowed command execution as the current macOS user after the user opened the link. Confirmed impact: - Browser-triggered command execution through `mpv_options/input-commands` - Execution as the current macOS user - No valid media file required - Controlled file creation was demonstrated only inside a proof-of-concept directory User interaction is required in the browser-delivered attack path because the browser asks whether to open the `iina://` custom protocol. ## User interaction and local reproduction note When triggered from a webpage, the browser is expected to show a prompt asking whether to open IINA. That prompt is part of the user-interaction requirement. For local reproduction, invoking the same URL with macOS `open 'iina://...'` may launch IINA directly because the action is initiated locally through LaunchServices rather than through a browser. This local behavior is useful for testing, but the remote attack scenario still requires a browser-delivered `iina://` URL and browser protocol prompt approval. ## Root cause The root cause is unsafe forwarding of `mpv_` query parameters from a remote-triggerable custom URL scheme into mpv runtime options. The dangerous option confirmed in testing is `mpv_options/input-commands`, which can be interpreted by mpv as an input command list. ## FUN VIDEO PROOF OF CONCEPT [Sit back and enjoy!](proof.mp4), If that video proof is not enough thats ok, here are 2 commands you can try yourself: `iina://open?url=http%3A%2F%2F127.0.0.1%3A225%2F225&mpv_options%2Finput-commands=run%20%22%2Fusr%2Fbin%2Ftouch%22%20%22%2Ftmp%2Fpwned%22`, `iina://open?url=http%3A%2F%2F127.0.0.1%3A225%2F225&mpv_options%2Finput-commands=run%20%22%2Fbin%2Frm%22%20%22%2Ftmp%2Fpwned%22`. ## Mitigation Update to IINA 1.4.3 ## Let's look at the fix! ``` for query in queries { if query.name.hasPrefix("mpv_") { let mpvOptionName = String(query.name.dropFirst(4)) + guard !mpvOptionName.contains("input-command") else { + Logger.log("mpv option \(mpvOptionName) rejected when parsing URL", level: .warning) + continue + } guard let mpvOptionValue = query.value else { continue } Logger.log("Setting \(mpvOptionName) to \(mpvOptionValue)") player.mpv.setString(mpvOptionName, mpvOptionValue) ``` ## Disclosure timeline - 2026-05-16: Issue discovered and validated locally - 2026-05-17: Public advisory published - 2026-05-17: CVE request submitted - 2026-05-19: Vendor notified via GitHub issue (email to [email protected] failed) - 2026-05-20: Fix committed (7048ae7, 1e6f432) - 2026-05-20: Vendor confirmed fix in IINA 1.4.3 - 2026-05-21: CVE-2026-47114 published by VulnCheck ## Credits Discovered by stackpointer.