Vulnerability-Lookup

CVE-2026-44353 (GCVE-0-2026-44353)

Vulnerability from cvelistv5 – Published: 2026-05-27 15:10 – Updated: 2026-05-27 15:10

Title

Streamlink: Arbitrary local file read via file:// URI in HLS and DASH

Summary

Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/streamlink/streamlink/security…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
streamlink	streamlink	Affected: < 8.4.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "streamlink",
          "vendor": "streamlink",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 8.4.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink\u0027s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T15:10:23.537Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f"
        }
      ],
      "source": {
        "advisory": "GHSA-hgqw-6m45-hw5f",
        "discovery": "UNKNOWN"
      },
      "title": "Streamlink: Arbitrary local file read via file:// URI in HLS and DASH"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44353",
    "datePublished": "2026-05-27T15:10:23.537Z",
    "dateReserved": "2026-05-05T19:52:59.148Z",
    "dateUpdated": "2026-05-27T15:10:23.537Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44353\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-27T17:16:38.927\",\"lastModified\":\"2026-05-27T17:16:38.927\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink\u0027s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-44353

Vulnerability from fkie_nvd - Published: 2026-05-27 17:16 - Updated: 2026-05-27 17:16

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink\u0027s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0."
    }
  ],
  "id": "CVE-2026-44353",
  "lastModified": "2026-05-27T17:16:38.927",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-27T17:16:38.927",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-HGQW-6M45-HW5F

Vulnerability from github – Published: 2026-05-11 14:28 – Updated: 2026-05-11 14:28

Summary

Streamlink has an arbitrary local file read via file:// URI in HLS and DASH

Details

Summary

Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream.

Confirmed on streamlink 8.3.0 (latest release at time of report).

Description

Segment URIs from an HLS playlist or DASH manifest are passed to the worker without any scheme check. The underlying HTTP session accepts file:// URIs, which resolve against the local filesystem. There is no scheme allowlist at the parser level, so any path readable by the streamlink process is treated as a valid segment.

The attacker does not need local access to the victim. A playlist/manifest hosted on an attacker-controlled server, fetched by streamlink on the victim's machine, is enough to trigger the read.

Impact

A remote attacker hosting a malicious playlist/manifest can make any client running streamlink against that URL read arbitrary local files within the streamlink process's read scope and write them into the output file.

Reachable files depend on the user running streamlink. Typical targets: ~/.ssh/id_* private keys, ~/.aws/credentials, shell history, application config files holding API tokens, and world-readable system files like /etc/passwd.

Affected scenarios

Server-side or automated deployments (recording bots, media pipelines, CI jobs processing playlists). The output file is often uploaded, logged, or otherwise exposed, which gives direct disclosure to attacker-reachable locations.
Interactive desktop use. File contents land on the victim's disk and can leak through secondary channels: the user sharing the recording, cloud sync, backup, etc.

This bug does not on its own send file contents back to the attacker. The disclosure goes to the output sink. Full exfiltration depends on what happens to that file afterward.

Steps to reproduce

Tested on streamlink 8.3.0, Linux (Kali).

Save as playlist.m3u8:

```m3u

EXTM3U

EXT-X-VERSION:3

EXT-X-TARGETDURATION:5

EXT-X-PLAYLIST-TYPE:VOD

EXTINF:5.0,

file:///etc/passwd

EXT-X-ENDLIST

```
Host the playlist on a remote server reachable by the victim. For testing, a VPS, a tunnel (cloudflared, ngrok), or a static host like GitHub Pages all work.
On the victim machine:

sh streamlink "hls://https://attacker-host.example/playlist.m3u8" best -o /tmp/proof.ts
Inspect the output:

sh cat /tmp/proof.ts
The output contains the contents of /etc/passwd from the machine running streamlink.

Local reproduction (equivalent, simpler to set up):

python3 -m http.server 8080    # in directory containing playlist.m3u8
streamlink "hls://http://127.0.0.1:8080/playlist.m3u8" best -o /tmp/proof.ts
cat /tmp/proof.ts

The remote case was confirmed independently using a tunnel.

Proposed remediation

Allowlist http and https for segment URIs in the HLS parser. Reject any other scheme (file, ftp, data, etc.) at parse time, before the URI reaches the fetcher.

The check needs to cover:

Segment URIs in the top-level manifest.
Segment URIs in nested manifests pulled during playback (variant playlists referenced from a master playlist).
Other URI fields the fetcher consumes — #EXT-X-KEY and #EXT-X-MAP URIs at minimum. Worth auditing the rest for the same issue.

The check belongs in the parser, not the fetcher. Putting it next to the untrusted input means downstream callers don't each need to re-implement it, and any future fetcher path inherits the protection by default.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 8.3.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "streamlink"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "8.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44353"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T14:28:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nStreamlink\u0027s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote `.m3u8` HLS playlist or `.mpd` DASH manifest can list `file:///path/to/file` as a segment, and streamlink will read that local file and write its contents to the output stream.\n\nConfirmed on streamlink 8.3.0 (latest release at time of report).\n\n## Description\n\nSegment URIs from an HLS playlist or DASH manifest are passed to the worker without any scheme check. The underlying HTTP session accepts `file://` URIs, which resolve against the local filesystem. There is no scheme allowlist at the parser level, so any path readable by the streamlink process is treated as a valid segment.\n\nThe attacker does not need local access to the victim. A playlist/manifest hosted on an attacker-controlled server, fetched by streamlink on the victim\u0027s machine, is enough to trigger the read.\n\n## Impact\n\nA remote attacker hosting a malicious playlist/manifest can make any client running streamlink against that URL read arbitrary local files within the streamlink process\u0027s read scope and write them into the output file.\n\nReachable files depend on the user running streamlink. Typical targets: `~/.ssh/id_*` private keys, `~/.aws/credentials`, shell history, application config files holding API tokens, and world-readable system files like `/etc/passwd`.\n\n### Affected scenarios\n\n- Server-side or automated deployments (recording bots, media pipelines, CI jobs processing playlists). The output file is often uploaded, logged, or otherwise exposed, which gives direct disclosure to attacker-reachable locations.\n- Interactive desktop use. File contents land on the victim\u0027s disk and can leak through secondary channels: the user sharing the recording, cloud sync, backup, etc.\n\nThis bug does not on its own send file contents back to the attacker. The disclosure goes to the output sink. Full exfiltration depends on what happens to that file afterward.\n\n## Steps to reproduce\n\nTested on streamlink 8.3.0, Linux (Kali).\n\n1. Save as `playlist.m3u8`:\n\n    ```m3u\n    #EXTM3U\n    #EXT-X-VERSION:3\n    #EXT-X-TARGETDURATION:5\n    #EXT-X-PLAYLIST-TYPE:VOD\n    #EXTINF:5.0,\n    file:///etc/passwd\n    #EXT-X-ENDLIST\n    ```\n\n2. Host the playlist on a remote server reachable by the victim. For testing, a VPS, a tunnel (cloudflared, ngrok), or a static host like GitHub Pages all work.\n\n3. On the victim machine:\n\n    ```sh\n    streamlink \"hls://https://attacker-host.example/playlist.m3u8\" best -o /tmp/proof.ts\n    ```\n\n3. Inspect the output:\n\n    ```sh\n    cat /tmp/proof.ts\n    ```\n\n4. The output contains the contents of `/etc/passwd` from the machine running streamlink.\n\n### Local reproduction (equivalent, simpler to set up):\n\n```sh\npython3 -m http.server 8080    # in directory containing playlist.m3u8\nstreamlink \"hls://http://127.0.0.1:8080/playlist.m3u8\" best -o /tmp/proof.ts\ncat /tmp/proof.ts\n```\n\nThe remote case was confirmed independently using a tunnel.\n\n## Proposed remediation\n\nAllowlist http and https for segment URIs in the HLS parser. Reject any other scheme (file, ftp, data, etc.) at parse time, before the URI reaches the fetcher.\n\nThe check needs to cover:\n\n- Segment URIs in the top-level manifest.\n- Segment URIs in nested manifests pulled during playback (variant playlists referenced from a master playlist).\n- Other URI fields the fetcher consumes \u2014 `#EXT-X-KEY` and `#EXT-X-MAP` URIs at minimum. Worth auditing the rest for the same issue.\n\nThe check belongs in the parser, not the fetcher. Putting it next to the untrusted input means downstream callers don\u0027t each need to re-implement it, and any future fetcher path inherits the protection by default.",
  "id": "GHSA-hgqw-6m45-hw5f",
  "modified": "2026-05-11T14:28:30Z",
  "published": "2026-05-11T14:28:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/streamlink/streamlink"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Streamlink has an arbitrary local file read via file:// URI in HLS and DASH"
}

OPENSUSE-SU-2026:10733-1

Vulnerability from csaf_opensuse - Published: 2026-05-08 00:00 - Updated: 2026-05-08 00:00

Summary

streamlink-8.4.0-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: streamlink-8.4.0-1.1 on GA media

Description of the patch: These are all security issues fixed in the streamlink-8.4.0-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10733

CVE-2026-44353

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:streamlink-8.4.0-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:streamlink-8.4.0-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:streamlink-8.4.0-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:streamlink-8.4.0-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2026-44353/	self
https://www.suse.com/security/cve/CVE-2026-44353	external
https://bugzilla.suse.com/1264495	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "streamlink-8.4.0-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the streamlink-8.4.0-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10733",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10733-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-44353 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-44353/"
      }
    ],
    "title": "streamlink-8.4.0-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-05-08T00:00:00Z",
      "generator": {
        "date": "2026-05-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10733-1",
      "initial_release_date": "2026-05-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-05-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "streamlink-8.4.0-1.1.aarch64",
                "product": {
                  "name": "streamlink-8.4.0-1.1.aarch64",
                  "product_id": "streamlink-8.4.0-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "streamlink-8.4.0-1.1.ppc64le",
                "product": {
                  "name": "streamlink-8.4.0-1.1.ppc64le",
                  "product_id": "streamlink-8.4.0-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "streamlink-8.4.0-1.1.s390x",
                "product": {
                  "name": "streamlink-8.4.0-1.1.s390x",
                  "product_id": "streamlink-8.4.0-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "streamlink-8.4.0-1.1.x86_64",
                "product": {
                  "name": "streamlink-8.4.0-1.1.x86_64",
                  "product_id": "streamlink-8.4.0-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "streamlink-8.4.0-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:streamlink-8.4.0-1.1.aarch64"
        },
        "product_reference": "streamlink-8.4.0-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "streamlink-8.4.0-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:streamlink-8.4.0-1.1.ppc64le"
        },
        "product_reference": "streamlink-8.4.0-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "streamlink-8.4.0-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:streamlink-8.4.0-1.1.s390x"
        },
        "product_reference": "streamlink-8.4.0-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "streamlink-8.4.0-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:streamlink-8.4.0-1.1.x86_64"
        },
        "product_reference": "streamlink-8.4.0-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-44353",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-44353"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "unknown",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:streamlink-8.4.0-1.1.aarch64",
          "openSUSE Tumbleweed:streamlink-8.4.0-1.1.ppc64le",
          "openSUSE Tumbleweed:streamlink-8.4.0-1.1.s390x",
          "openSUSE Tumbleweed:streamlink-8.4.0-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-44353",
          "url": "https://www.suse.com/security/cve/CVE-2026-44353"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1264495 for CVE-2026-44353",
          "url": "https://bugzilla.suse.com/1264495"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:streamlink-8.4.0-1.1.aarch64",
            "openSUSE Tumbleweed:streamlink-8.4.0-1.1.ppc64le",
            "openSUSE Tumbleweed:streamlink-8.4.0-1.1.s390x",
            "openSUSE Tumbleweed:streamlink-8.4.0-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2026-44353"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44353 (GCVE-0-2026-44353)

FKIE_CVE-2026-44353

GHSA-HGQW-6M45-HW5F

Summary

Description

Impact

Affected scenarios

Steps to reproduce

EXTM3U

EXT-X-VERSION:3

EXT-X-TARGETDURATION:5

EXT-X-PLAYLIST-TYPE:VOD

EXTINF:5.0,

EXT-X-ENDLIST

Local reproduction (equivalent, simpler to set up):

Proposed remediation

OPENSUSE-SU-2026:10733-1

Tags

Sightings

Nomenclature