CVE-2026-44353: Streamlink has an arbitrary local file read via file:// URI in HLS and DASH

May 11, 2026

Streamlink’s HLS and DASH parsers do not validate the URI scheme of segment entries and other resources. A remote .m3u8 HLS playlist or .mpd DASH manifest can list file:///path/to/file as a segment, and streamlink will read that local file and write its contents to the output stream.

Confirmed on streamlink 8.3.0 (latest release at time of report).

References

github.com/advisories/GHSA-hgqw-6m45-hw5f
github.com/streamlink/streamlink
github.com/streamlink/streamlink/security/advisories/GHSA-hgqw-6m45-hw5f
nvd.nist.gov/vuln/detail/CVE-2026-44353

Code Behaviors & Features

Detect and mitigate CVE-2026-44353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →