CVE-2026-44353 MEDIUM

CVE-2026-44353: Streamlink: Arbitrary local file read via file:// URI in HLS and DASH

Vendor Streamlink
Product streamlink
Weakness CWE-22 · Path traversal
Published May 27, 2026
Last update May 27, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 27, 2026 Record updated