CVE-2026-47114 iina CVE debrief

Who should care

MacOS users of IINA, especially anyone who opens links from browsers or other untrusted sources; endpoint defenders and administrators managing macOS fleets; security teams monitoring custom URL scheme abuse and application update compliance.

Technical summary

The supplied record describes a flaw in IINA's iina://open URL scheme handler. Untrusted mpv_options and input-commands parameters are passed into the mpv runtime without adequate validation, enabling arbitrary command execution when a victim accepts the browser's protocol handler prompt. The record maps the weakness to CWE-88 and lists a CVSS 4.0 score of 8.6 (HIGH), with network access and user interaction required. The affected range is before IINA 1.4.3, and the supplied references include a disclosure write-up, a fixing commit, and the 1.4.3 release tag.

Defensive priority

High — remote reachability plus code execution impact makes this a priority patch, even though the attack requires user interaction.

Recommended defensive actions

• Update IINA to version 1.4.3 or later.
• Treat unexpected iina:// links as suspicious and avoid approving browser protocol prompts unless the source is trusted.
• If IINA is not required on managed systems, consider removing it or reducing exposure to custom URL scheme handlers.
• Review endpoint and browser policies for custom protocol handling where practical.
• Monitor for unusual launches of IINA/mpv following browser link clicks and investigate unexpected command-line behavior.

Evidence notes

Timing is based on the supplied CVE/NVD timestamps: published 2026-05-21T20:16:14.340Z and modified 2026-05-21T21:03:56.320Z. The source item metadata marks the NVD vulnerability status as Deferred. The supplied official and source references point to an IINA disclosure page, an IINA fix commit, the 1.4.3 release tag, and a VulnCheck advisory, all consistent with a command-execution flaw in the iina://open handler.

Official resources