CVE-2026-44353
MEDIUMStreamlink: Arbitrary local file read via file:// URI in HLS and DASH
Title source: cnaDescription
Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f
Scores
CVSS v3
6.5
EPSS
0.0030
EPSS Percentile
21.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
pypi/streamlink
0 - 8.4.0PyPI
streamlink/streamlink
< 8.4.0 (2 CPE variants)
Published
May 27, 2026
Tracked Since
May 27, 2026