External risk intelligence

IINA Command Execution via Custom URL Scheme

CVE advisorySeverity: HIGH (CVSS 8.6)

CVE-2026-47114

A vulnerability in the IINA media player allows remote attackers to execute commands via a crafted URL. This could impact user systems by allowing arbitrary command execution upon user interaction with a malicious link and browser prompt. The business risk involves potential system compromise and unauthorized control.

1Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-47114

This vulnerability affects IINA, a local desktop media player application. Exploitation requires the user to interact with a custom URL scheme handler triggered via a web browser on their local machine. As a client-side application with no public-facing network services, it does not present a reachable network attack surface in typical deployment environments.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

The IINA media player has a vulnerability in how it handles custom URL schemes. This flaw could allow a malicious actor to execute commands on a user's computer if the user clicks on a specially crafted link. The execution of these commands would occur with the privileges of the current user.

  • Vulnerable component: Custom URL scheme handler
  • Core weakness: Unvalidated parameters in URL scheme
  • Main business impact: Arbitrary command execution

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by tricking a user into opening a specially crafted URL. This URL would pass malicious parameters to the application's custom URL handler. If the user approves a subsequent browser prompt, the attacker could execute arbitrary commands on the affected system. This could lead to unauthorized access and control over the user's machine.

  • Attacker shares a malicious URL.
  • User clicks the URL, and approves prompt.
  • Attacker gains command execution.

Live Threat

Current exploitation, exposure, and threat context

A vulnerability in the IINA media player allows for remote command execution if a user interacts with a specially crafted URL. Attackers could provide malicious links through a browser, which, upon user approval of a system prompt, could execute arbitrary commands. This could impact the affected user's macOS system.

  • Likely attacker skill level: Low
  • Required access or conditions: User interaction with a malicious URL
  • Business risk or urgency: Moderate

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability presents a risk of remote command execution on user systems. Attackers can craft malicious links that, when opened by a user, exploit the application's handling of custom URL schemes. This could lead to the execution of arbitrary commands with the privileges of the user interacting with the application. The impact can include compromise of the affected user's system and potential lateral movement within an organization's network.

  • Find assets using the affected application.
  • Reduce exposure via URL filtering.
  • Apply vendor fix and validate.
  • Monitor for related activity.

Frequently asked questions

What is the IINA media player and how is it used?

IINA is a free, open-source media player for macOS. It is designed to be modern and user-friendly, offering features such as support for various video and audio formats, a picture-in-picture mode, and integration with macOS functionalities like the Touch Bar.

What is the weakness in CVE-2026-47114 called?

The weakness is classified as CWE-88, which describes improper neutralization of special elements in an OS command. In this case, it involves unvalidated parameters within the iina://open custom URL scheme handler, allowing for the execution of unintended commands.

How can an attacker trigger command execution in IINA?

An attacker can exploit this vulnerability by tricking a user into clicking a specially crafted URL. This URL passes unvalidated parameters to the IINA application's custom URL handler. If the user approves a subsequent browser prompt, arbitrary commands can be executed on the affected macOS system with the privileges of the current user.

What is the relevance of CVE-2026-47114 to users?

This vulnerability allows for remote command execution on a user's macOS system if they interact with a malicious URL. Attackers can leverage this to gain unauthorized access and control over the user's machine, potentially leading to further compromise within an organization's network. The Halo Surface Signal indicates this is a very unlikely threat due to the local nature of the application and user interaction requirement.

What steps should be taken to address the IINA vulnerability?

To mitigate this risk, organizations should identify all assets using the affected IINA version. Reducing exposure through URL filtering can help prevent malicious links from being opened. Applying the vendor's fix and validating the update are crucial. Monitoring for related suspicious activity is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished