CVSS: 5.3EPSS: 0%CPEs: -EXPL: 1CVE-2025-1816 – FFmpeg IAMF File iamf_parse.c audio_element_obu memory leak
https://notcve.org/view.php?id=CVE-2025-1816
02 Mar 2025 — A vulnerability classified as problematic has been found in FFmpeg up to 6e26f57f672b05e7b8b052007a83aef99dc81ccb. ... Es wurde eine Schwachstelle in FFmpeg bis 6e26f57f672b05e7b8b052007a83aef99dc81ccb entdeckt. • https://ffmpeg.org • CWE-401: Missing Release of Memory after Effective Lifetime CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 1CVE-2025-1594 – FFmpeg AAC Encoder aacenc_tns.c ff_aac_search_for_tns stack-based overflow
https://notcve.org/view.php?id=CVE-2025-1594
23 Feb 2025 — A vulnerability, which was classified as critical, was found in FFmpeg up to 7.1. ... Es wurde eine kritische Schwachstelle in FFmpeg bis 7.1 gefunden. • https://ffmpeg.org • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2025-1373 – FFmpeg MOV Parser mov.c mov_read_trak null pointer dereference
https://notcve.org/view.php?id=CVE-2025-1373
17 Feb 2025 — A vulnerability was found in FFmpeg up to 7.1. ... Eine problematische Schwachstelle wurde in FFmpeg bis 7.1 ausgemacht. • https://ffmpeg.org • CWE-404: Improper Resource Shutdown or Release CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 2CVE-2024-7272 – FFmpeg swresample.c fill_audiodata heap-based overflow
https://notcve.org/view.php?id=CVE-2024-7272
08 Aug 2024 — A vulnerability, which was classified as critical, was found in FFmpeg up to 5.1.5. ... Es wurde eine kritische Schwachstelle in FFmpeg bis 5.1.5 gefunden. ... Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. • https://ffmpeg.org • CWE-122: Heap-based Buffer Overflow •
CVSS: 7.5EPSS: 0%CPEs: 12EXPL: 1CVE-2024-7055 – FFmpeg pnmdec.c pnm_decode_frame heap-based overflow
https://notcve.org/view.php?id=CVE-2024-7055
06 Aug 2024 — A vulnerability was found in FFmpeg up to 7.0.1. ... Se encontró una vulnerabilidad en FFmpeg hasta 7.0.1. ... Es wurde eine Schwachstelle in FFmpeg bis 7.0.1 ausgemacht. ... Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. • https://ffmpeg.org • CWE-122: Heap-based Buffer Overflow •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 1CVE-2024-2029 – Command Injection in mudler/localai
https://notcve.org/view.php?id=CVE-2024-2029
10 Apr 2024 — The vulnerability arises due to the lack of sanitization of user-supplied filenames before passing them to ffmpeg via a shell command, allowing an attacker to execute arbitrary commands on the host system. • https://github.com/Instructor-Team8/CVE-2024-20291-POC • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-48909
https://notcve.org/view.php?id=CVE-2023-48909
12 Jan 2024 — An issue was discovered in Jave2 version 3.3.1, allows attackers to execute arbitrary code via the FFmpeg function. Se descubrió un problema en Jave2 versión 3.3.1 que permite a los atacantes ejecutar código arbitrario a través de la función FFmpeg. • https://gist.github.com/Dollhouse-18/288b4774bc296722c9e3c60bafa392bf •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2023-48702 – Jellyfin Possible Remote Code Execution via custom FFmpeg binary
https://notcve.org/view.php?id=CVE-2023-48702
13 Dec 2023 — Jellyfin is a system for managing and streaming media. Prior to version 10.8.13, the `/System/MediaEncoder/Path` endpoint executes an arbitrary file using `ProcessStartInfo` via the `ValidateVersion` function. A malicious administrator can setup a network share and supply a UNC path to `/System/MediaEncoder/Path` which points to an executable on the network share, causing Jellyfin server to run the executable in the local context. The endpoint was removed in version 10.8.13. Jellyfin es un sistema para gest... • https://github.com/jellyfin/jellyfin/commit/83d2c69516471e2db72d9273c6a04247d0f37c86 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 7%CPEs: 1EXPL: 1CVE-2023-49096 – Argument Injection in FFmpeg codec parameters in Jellyfin
https://notcve.org/view.php?id=CVE-2023-49096
06 Dec 2023 — Those arguments land in the command line of FFmpeg. Because UseShellExecute is always set to false, we can’t simply terminate the FFmpeg command and execute our own. It should only be possible to add additional arguments to FFmpeg, which is powerful enough as it stands. ... Esos argumentos llegan a la línea de comando de FFmpeg. ... Sólo debería ser posible agregar argumentos adicionales a FFmpeg, que es lo suficientemente poderoso tal como está. • https://ffmpeg.org/ffmpeg-filters.html#drawtext-1 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 1CVE-2022-4907 – Debian Security Advisory 5552-1
https://notcve.org/view.php?id=CVE-2022-4907
28 Jul 2023 — Uninitialized Use in FFmpeg in Google Chrome prior to 108.0.5359.71 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) Several vulnerabilities have been discovered in the FFmpeg multimedia framework, which could result in denial of service or potentially the execution of arbitrary code if malformed files/streams are processed. • https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html •