HIGH
iina
CVE published 2026-05-21
CVE-2026-47114
CVE-2026-47114 is a user-assisted command execution issue affecting IINA before 1.4.3 on macOS. A remote attacker can send a crafted iina://open custom URL that places malicious mpv_-prefixed query parameters into the mpv runtime. If the user approves the browser protocol prompt, the application may execute attacker-controlled commands as the current macOS user, even without a valid media file.