✝️ John 11:25-27
Jesus said to her, “I am the resurrection and the life. Whoever believes in me, though he die, yet shall he live, and everyone who lives and believes in me shall never die. Do you believe this?” She said to him, “Yes, Lord; I believe that you are the Christ, the Son of God, who is coming into the world.”
# CVE-2026-47114: IINA < 1.4.3 command execution via `iina://open`
**Status:** Public advisory
**CVE:** CVE-2026-47114
**Reporter:** stackpointer
**Affected product:** IINA for macOS
**Confirmed vulnerable version:** IINA 1.4.2
**Affected range:** IINA before 1.4.3
**Fixed version:** IINA 1.4.3
**CWE:** CWE-88, Improper Neutralization of Argument Delimiters in a Command
**Severity:** High
**CVSS v4.0:** 8.6
**CVSS v3.1:** 8.8
**Discovery date:** 2026-05-16
**Public advisory date:** 2026-05-17
**CVE publication date:** 2026-05-21
## Summary
Before version 1.4.3 of IINA, command execution could be achieved via: combining `iina://open` with `mpv_options/input-commands` leading to the creation of urls that can run commands.
## Impact
The issue allowed command execution as the current macOS user after the user opened the link.
Confirmed impact:
- Browser-triggered command execution through `mpv_options/input-commands`
- Execution as the current macOS user
- No valid media file required
- Controlled file creation was demonstrated only inside a proof-of-concept directory
User interaction is required in the browser-delivered attack path because the browser asks whether to open the `iina://` custom protocol.
## User interaction and local reproduction note
When triggered from a webpage, the browser is expected to show a prompt asking whether to open IINA. That prompt is part of the user-interaction requirement.
For local reproduction, invoking the same URL with macOS `open 'iina://...'` may launch IINA directly because the action is initiated locally through LaunchServices rather than through a browser. This local behavior is useful for testing, but the remote attack scenario still requires a browser-delivered `iina://` URL and browser protocol prompt approval.
## Root cause
The root cause is unsafe forwarding of `mpv_` query parameters from a remote-triggerable custom URL scheme into mpv runtime options. The dangerous option confirmed in testing is `mpv_options/input-commands`, which can be interpreted by mpv as an input command list.
## FUN VIDEO PROOF OF CONCEPT
[Sit back and enjoy!](proof.mp4), If that video proof is not enough thats ok, here are 2 commands you can try yourself: `iina://open?url=http%3A%2F%2F127.0.0.1%3A225%2F225&mpv_options%2Finput-commands=run%20%22%2Fusr%2Fbin%2Ftouch%22%20%22%2Ftmp%2Fpwned%22`, `iina://open?url=http%3A%2F%2F127.0.0.1%3A225%2F225&mpv_options%2Finput-commands=run%20%22%2Fbin%2Frm%22%20%22%2Ftmp%2Fpwned%22`.
## Mitigation
Update to IINA 1.4.3
## Let's look at the fix!
```
for query in queries {
if query.name.hasPrefix("mpv_") {
let mpvOptionName = String(query.name.dropFirst(4))
+ guard !mpvOptionName.contains("input-command") else {
+ Logger.log("mpv option \(mpvOptionName) rejected when parsing URL", level: .warning)
+ continue
+ }
guard let mpvOptionValue = query.value else { continue }
Logger.log("Setting \(mpvOptionName) to \(mpvOptionValue)")
player.mpv.setString(mpvOptionName, mpvOptionValue)
```
## How long was the bug alive for? Lets find out!
The bug was introduced in https://github.com/iina/iina/commit/9ae2f4f91dd469b1d69a8b9cf6d877679eec00f8 on `2018-09-01` to the repo and first appeared in a tagged release on `2018-09-10` and the bug was removed in https://github.com/iina/iina/commit/1e6f43248dab9d6ae303781c790e5315cbc9fcef on `2026-05-20`. I tested and confirmed the bug in IINA 1.4.2 however, it seems it has been vulnerable since 2018!
## Disclosure timeline
- 2026-05-16: Issue discovered and validated locally
- 2026-05-17: Public advisory published
- 2026-05-17: CVE request submitted
- 2026-05-19: Vendor notified via GitHub issue (email to
[email protected] failed)
- 2026-05-20: Fix committed (7048ae7, 1e6f432)
- 2026-05-20: Vendor confirmed fix in IINA 1.4.3
- 2026-05-21: CVE-2026-47114 published by VulnCheck
## Credits
Discovered by stackpointer.