CVE-2026-44353

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

CVE-2026-44353

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

USN-7890-1 ffmpeg vulnerability

It was discovered that FFmpeg did not properly handle the parsing of certain malformed HLS playlists. If a user were tricked into opening a specially crafted HLS playlist, an attacker could possibly use this issue to cause FFmpeg to crash, resulting in a denial of service...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS : FFmpeg vulnerabilities (USN-7830-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7830-1 advisory. It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in th...

USN-7830-1 ffmpeg vulnerabilities

It was discovered that FFmpeg incorrectly handled the return values of functions in its Firequalizer filter and in the HTTP Live Streaming HLS implementation, leading to a NULL pointer dereference. If a user was tricked into loading a crafted media file, a remote attacker could possibly use this...

Linux Distros Unpatched Vulnerability : CVE-2023-6603

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null...

Linux Distros Unpatched Vulnerability : CVE-2017-9993

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extension...

Sonos Era 300 缓冲区错误漏洞

Sonos Era 300 is a spatial audio speaker with Dolby Atmos Dolby Atmos from Sonos USA. The Sonos Era 300 suffers from a buffer error vulnerability that stems from unvalidated user data during HLS playlist data processing, which could lead to out-of-bounds writes and remote code execution...

PT-2024-15024

Name of the Vulnerable Software and Affected Versions FFmpeg affected versions not specified Description A flaw was found in FFmpeg's HLS playlist parsing, allowing a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization...

K01112063: NGINX ngx_http_hls_module vulnerability CVE-2022-41743

Security Advisory Description NGINX Plus before versions R27 P1 and R26 P1 have a vulnerability in the module ngxhttphlsmodule that might allow a local attacker to corrupt NGINX worker memory, resulting in its crash or potential other impact using a specially crafted audio or video file. The issu...

K03202240: FFmpeg vulnerabilities CVE-2016-1897 and CVE-2016-1898

Security Advisory Description CVE-2016-1897 FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming HLS M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a...

Debian DSA-3957-1 : ffmpeg - security update

Several vulnerabilities have been discovered in FFmpeg, a multimedia player, server and encoder. These issues could lead to Denial-of-Service and, in some situation, the execution of arbitrary code. - CVE-2017-9608 Yihan Lian of Qihoo 360 GearTeam discovered a NULL pointer access when parsing a...

Information Disclosure

FFmpeg is vulnerable to information disclosure. The library does not properly handle HTTP Live Streaming filename extensions and demuxer names. A malicious user can pass playlist files to the system to obtain sensitive information...

CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

Code injection

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

UBUNTU-CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

ALPINE-CVE-2017-9993

FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data...

CVE-2017-9993

FFmpeg vulnerability CVE-2017-9993 allows reading arbitrary files via crafted HLS playlists by not properly restricting HTTP Live Streaming filename extensions and demuxer names. Affected are FFmpeg releases prior to 2.8.12, 3.0.x (3.0.0–3.0.x with 3.1.x before 3.1.9), 3.2.x before 3.2.6, and 3.3...