CVE-2026-44353 Streamlink: Arbitrary local file read via file:// URI in HLS and DASH

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file...

bsky2llm (=0.1.0), downitall-android (=1.5.0) +14 more potentially affected by CVE-2026-44353 via streamlink (>=0.14.2 <=8.0.0)

streamlink PYPI version =0.14.2, =0.3.0, =0.0.1, =0.0.18, =1.0.0, =0.12.0, =0.1.14, =1.1.0, =0.0.1, =2.1.0, =3.4.0b2 - twitch-fapi-backend =0.1.0 and more Source cves: CVE-2026-44353 Source advisory: OSV:GHSA-HGQW-6M45-HW5F...

Streamlink has an arbitrary local file read via file:// URI in HLS and DASH

Summary Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream...