Arch Linux reports:
ffmpeg has a vulnerability in the current version that allows the
attacker to create a specially crafted video file, downloading which
will send files from a user PC to a remote attacker server. The
attack does not even require the user to open that file — for
example, KDE Dolphin thumbnail generation is enough.