PatchSiren cyber security CVE debrief
CVE-2026-44353 streamlink CVE debrief
Streamlink versions prior to 8.4.0 contain a path traversal vulnerability in their HLS and DASH parsers. The parsers fail to validate URI schemes in segment entries and other resources within .m3u8 HLS playlists or .mpd DASH manifests. A remote attacker can craft a malicious playlist or manifest that references local files using the file:// scheme (e.g., file:///path/to/file), causing Streamlink to read arbitrary local files and write their contents to the output stream. This represents an information disclosure risk where sensitive local files could be exfiltrated through the stream output. The vulnerability was published on 2026-05-27 and modified later the same day. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- streamlink
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations using Streamlink for video stream processing, particularly those accepting HLS or DASH manifests from untrusted sources. Security teams monitoring for path traversal vulnerabilities in media processing pipelines. DevOps teams responsible for Streamlink deployments in production environments.
Technical summary
The vulnerability exists in Streamlink's HLS and DASH parsers which process .m3u8 and .mpd manifest files. These parsers do not implement URI scheme validation, allowing file:// URIs to be processed as segment sources. When a remote attacker supplies a crafted manifest containing file:///path/to/file references, Streamlink reads the specified local file and incorporates its contents into the output stream. This is a classic path traversal/insecure direct object reference pattern (CWE-22) where attacker-controlled input influences file system operations. The attack requires user interaction (loading a malicious stream) and has network attack vector, with high confidentiality impact but no integrity or availability impact per CVSS scoring.
Defensive priority
medium
Recommended defensive actions
- Upgrade Streamlink to version 8.4.0 or later to remediate this vulnerability
- Validate and sanitize all externally sourced HLS playlists and DASH manifests before processing
- Implement network egress controls to prevent unexpected file system access from streaming applications
- Monitor for anomalous file system access patterns from Streamlink processes
- Review output streams for unexpected content that may indicate local file exfiltration
Evidence notes
Vulnerability description and fix version confirmed via official CVE record and NVD entry. Advisory details sourced from GitHub Security Advisory GHSA-hgqw-6m45-hw5f. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N indicates network attack vector with user interaction required, high confidentiality impact. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) identified as weakness.
Official resources
-
CVE-2026-44353 CVE record
CVE.org
-
CVE-2026-44353 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-27