CVE-2026-44353

Name of the Vulnerable Software and Affected Versions streamlink versions prior to 8.4.0

Description Streamlink's HLS and DASH parsers fail to validate the URI scheme of segment entries and other resources. A remote attacker can host a malicious .m3u8 HLS playlist or .mpd DASH manifest that lists local files using the file:/// scheme. When Streamlink processes such a manifest, it reads the specified local files—such as private keys, credentials, or system files like /etc/passwd—and writes their contents to the output stream or file. This occurs because segment URIs are passed to the worker without a scheme allowlist, and the underlying HTTP session accepts file:// URIs that resolve against the local filesystem.

Recommendations Update to version 8.4.0 or later. As a temporary workaround, avoid processing HLS playlists or DASH manifests from untrusted or remote sources.