Atx

**Name of the Vulnerable Software and Affected Versions** mpv versions prior to 0.28.0 **Description** The issue allows remote attackers to execute arbitrary code via a crafted web site. This is because mpv reads HTML documents containing VIDEO elements and accepts arbitrary URLs in a `src` attribute without a protocol whitelist in `player/lua/ytdl hook.lua`. For example, an URL like `av://lavfi:ladspa=file=` can signify that the product should call `dlopen` on a shared object file located at an arbitrary local pathname. The problem exists because the product does not consider that youtube-dl can provide a potentially unsafe URL. **Recommendations** For versions prior to 0.28.0, consider disabling the `ytdl hook.lua` functionality until a patch is available to prevent the execution of arbitrary code. Restrict access to arbitrary URLs in the `src` attribute to minimize the risk of exploitation. Avoid using URLs that could potentially lead to the execution of arbitrary code, such as those starting with `av://lavfi:ladspa=file=`, until the issue is resolved.