CVE-2026-44353 Streamlink: Arbitrary local file read via file:// URI in HLS and DASH

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

Streamlink 安全漏洞

Streamlink is an open-source command-line tool developed by Streamlink that pushes live streaming media to video players. Versions of Streamlink prior to 8.4.0 contained security vulnerabilities. These vulnerabilities stemmed from the fact that the HLS and DASH parsers did not validate the URI...

External Control of File Name or Path

Overview streamlink is a Streamlink is a command-line utility that extracts streams from various services and pipes them into a video player of choice. Affected versions of this package are vulnerable to External Control of File Name or Path via the parsing process for HLS and DASH playlists or...

Astra Linux - уязвимость в ffmpeg5

A flaw was discovered in FFmpeg’s TTY Demuxer. This vulnerability allows for potential data exfiltration through improper parsing of input files that do not comply with TTY standards in HLS playlists...

Astra Linux - уязвимость в ffmpeg5

A flaw was discovered in FFmpeg’s HLS demuxer. This vulnerability allows bypassing checks for unsafe file extensions and triggering arbitrary demuxers using base64-encoded data URIs, along with specific file extensions...

Astra Linux - уязвимость в ffmpeg

A flaw was discovered in FFmpeg’s HLS playlist parsing. This vulnerability allows for a denial of service through a maliciously crafted HLS playlist, which triggers a null pointer dereference during initialization...

CVE-2026-34369 AVIdeo has Video Password Protection Bypass via API Endpoints Returning Full Playback Sources Without Password Verification

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the getapivideofile and getapivideo API endpoints in AVideo return full video playback sources direct MP4 URLs, HLS manifests for password-protected videos without verifying the video password. While the normal we...

SUSE-SU-2026:20932-1 Security update for ffmpeg-7

This update for ffmpeg-7 fixes the following issues: - Updated to version 7.1.2: avcodec/librsvgdec: fix compilation with librsvg 2.50.3 libavfilter/affirequalizer: Add check for avmallocarray avcodec/libsvtav1: unbreak build with latest svtav1 avformat/hls: Fix Youtube AAC Various bugfixes...

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

CVE-2026-33292

Summary (CVE-2026-33292) : WWBN AVideo is vulnerable prior to 26.0 due to a path traversal split-oracle in the HLS endpoint view/hls.php. The GET parameter videoDirectory is processed in two code paths: an authorization path that truncates after the first slash, and a file-access path that preser...

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

CVE-2026-33292 AVideo has Authorization Bypass via Path Traversal in HLS Endpoint Allows Streaming Private/Paid Videos

WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two...

PT-2026-26470

Summary The HLS streaming endpoint view/hls.php is vulnerable to a path traversal attack that allows an unauthenticated attacker to stream any private or paid video on the platform. The videoDirectory GET parameter is used in two divergent code paths — one for authorization which truncates at the...

SUSE SLES15 Security Update : ffmpeg-4 (SUSE-SU-2026:0229-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0229-1 advisory. - CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass bsc1220545. - CVE-2025-63757: Fixed integer overflow in yuv2ya16Xctemplate...

Security update for ffmpeg-4

This update for ffmpeg-4 fixes the following issues: CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass bsc1220545. CVE-2025-63757: Fixed integer overflow in yuv2ya16Xctemplate bsc1255392. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

SUSE-SU-2026:0229-1 Security update for ffmpeg-4

This update for ffmpeg-4 fixes the following issues: - CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass bsc1220545. - CVE-2025-63757: Fixed integer overflow in yuv2ya16Xctemplate bsc1255392...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : ffmpeg-4 (SUSE-SU-2026:0198-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0198-1 advisory. - CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass bsc1220545. - CVE-2025-63757: Fixed...

Security update for ffmpeg-4

This update for ffmpeg-4 fixes the following issues: CVE-2023-6601: Fixed HLS Unsafe File Extension Bypass bsc1220545. CVE-2025-63757: Fixed integer overflow in yuv2ya16Xctemplate bsc1255392. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST...

Debian dla-4440 : ffmpeg - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4440 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4440-1 [email protected]...

[SECURITY] [DLA 4440-1] ffmpeg security update

Debian LTS Advisory DLA-4440-1 [email protected] https://www.debian.org/lts/security/ Carlos Henrique Lima Melara January 16, 2026 https://wiki.debian.org/LTS Package : ffmpeg Version : 7:4.3.9-0+deb11u2 CVE ID : CVE-2023-6603 CVE-2024-36615 CVE-2025-1594 CVE-2025-7700 CVE-2025-9951...