CVE-2026-44353
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
27/05/2026
Last modified:
01/06/2026
Description
Streamlink is a CLI utility which pipes video streams from various services into a video player. Prior to 8.4.0, Streamlink's HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream. This vulnerability is fixed in 8.4.0.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:streamlink:streamlink:*:*:*:*:*:python:*:* | 8.4.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



