IINA CVE-2026-47114: macOS Command Execution via Malicious URL
The National Vulnerability Database (NVD) reports a critical user-assisted command execution vulnerability, CVE-2026-47114, affecting IINA versions prior to 1.4.3. This flaw allows remote attackers to execute arbitrary commands on macOS systems by manipulating mpv_-prefixed query parameters within the iina://open custom URL scheme handler.
Attackers can leverage a crafted URL delivered via a web browser. Upon user approval of the browser protocol prompt, the unvalidated mpv_options/input-commands parameters are passed directly to the mpv runtime. This bypasses the need for a legitimate media file, resulting in arbitrary command execution under the privileges of the current macOS user. NVD assigns this vulnerability a CVSSv3.1 score of 8.8 (HIGH), highlighting its severe impact on confidentiality, integrity, and availability.
This isn’t a theoretical threat. It’s a clear path to system compromise. The attacker’s calculus is simple: trick a user into clicking a link, get code execution. Defenders need to recognize that client-side vulnerabilities like this, especially those leveraging custom URL schemes, are prime targets. They exploit trust in familiar applications and browser prompts, turning common user actions into attack vectors.
What This Means For You
- If your organization uses IINA on macOS, you are exposed to remote command execution. Immediately patch IINA to version 1.4.3 or later. This isn't optional; it's a direct path to system compromise via a user-assisted click. Educate your users on the risks of approving browser protocol prompts from untrusted sources.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
macOS IINA CVE-2026-47114 Malicious URL Scheme Execution
title: macOS IINA CVE-2026-47114 Malicious URL Scheme Execution
id: scw-2026-05-21-ai-1
status: experimental
level: critical
description: |
Detects the use of the IINA custom URL scheme with parameters known to be used in the CVE-2026-47114 exploit. This allows for arbitrary command execution on macOS when a user clicks a malicious link, bypassing normal security checks after a browser protocol prompt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-47114/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: process_creation
detection:
selection:
Image|startswith:
- '/Applications/IINA.app/'
cs-uri|startswith:
- 'iina://open?'
cs-uri-query|contains:
- 'mpv_options'
cs-uri-query|contains:
- 'input-commands'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-47114 | RCE | IINA before 1.4.3 |
| CVE-2026-47114 | RCE | iina://open custom URL scheme handler |
| CVE-2026-47114 | Command Injection | malicious mpv_-prefixed query parameters |
| CVE-2026-47114 | Command Injection | unvalidated mpv_options/input-commands parameters into the mpv runtime |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
LiteLLM Privilege Escalation: User Role Manipulation Grants Admin Access (CVE-2026-47102)
CVE-2026-47102 — LiteLLM prior to 1.83.10 allows a user to modify their own user_role via the /user/update endpoint. While the endpoint correctly restricts users to...
LiteLLM Privilege Escalation Via API Key Misconfiguration (CVE-2026-47101)
CVE-2026-47101 — LiteLLM prior to 1.83.14 allows an authenticated internal_user to create API keys with access to routes that their role does not permit. When...
CVE-2026-4843 — The GSheet For Woo Importer plugin for WordPress is
CVE-2026-4843 — The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the...