Stackpointer

**Name of the Vulnerable Software and Affected Versions** IINA versions prior to 1.4.3 **Description** A user-assisted command execution issue exists where remote attackers can execute arbitrary commands as the current macOS user. This occurs when a crafted URL is delivered via a browser using the 'iina://open' custom URL scheme handler. The flaw allows unvalidated `mpv options` and `input-commands` parameters, specifically those with the `mpv ` prefix, to be passed into the mpv runtime. Execution occurs upon the user approving the browser protocol prompt and does not require a valid media file. **Recommendations** Update to version 1.4.3 or later.