CVE-2026-47114

Name of the Vulnerable Software and Affected Versions IINA versions prior to 1.4.3

Description A user-assisted command execution issue exists where remote attackers can execute arbitrary commands as the current macOS user. This occurs when a crafted URL is delivered via a browser using the 'iina://open' custom URL scheme handler. The flaw allows unvalidated mpv options and input-commands parameters, specifically those with the mpv prefix, to be passed into the mpv runtime. Execution occurs upon the user approving the browser protocol prompt and does not require a valid media file.

Recommendations Update to version 1.4.3 or later.