Bug 2482289 (CVE-2026-44353)
| Summary: | CVE-2026-44353 streamlink: Streamlink: Information disclosure via improper URI scheme validation in HLS and DASH parsers | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | jmitchel, kshier, pbohmill, teagle |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Streamlink. Its HLS (HTTP Live Streaming) and DASH (Dynamic Adaptive Streaming over HTTP) parsers do not properly validate the URI (Uniform Resource Identifier) scheme of segment entries. A remote attacker could craft a malicious HLS playlist or DASH manifest to include local file paths. If a user opens such a crafted playlist or manifest, Streamlink would read the specified local file and write its contents to the output stream, leading to information disclosure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-05-27 17:03:27 UTC
|