汇总 VideoLAN 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
常见弱点模式包括 输入验证问题、跨站脚本、路径处理缺陷与文件包含,在 生产负载与软件部署 使用场景中可能带来 文件覆盖、会话劫持与未授权访问 等风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2026-26227 | VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitatio | [email protected] | 6.3 | 0.30% | 2026-02-26 | 2026-06-17 |
| CVE-2026-26228 | VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the A | [email protected] | 2.3 | 0.27% | 2026-02-26 | 2026-06-17 |
| CVE-2025-51602 | mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server. | [email protected] | 4.8 | 0.37% | 2026-01-16 | 2026-06-17 |
| CVE-2024-1580 | An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d. | [email protected] | 5.9 | 1.84% | 2024-02-19 | 2026-06-17 |
| CVE-2023-46814 | A binary hijacking vulnerability exists within the VideoLAN VLC media player before 3.0.19 on Windows. The uninstaller attempts to execute code with elevated privileges out of a standard user writable location. Standard users may use this to gain arbitrary code execution as SYSTEM. | [email protected] | 7.8 | 0.28% | 2023-11-22 | 2026-06-17 |
| CVE-2023-47360 | Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length. | [email protected] | 7.5 | 0.91% | 2023-11-07 | 2026-06-17 |
| CVE-2023-47359 | Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption. | [email protected] | 9.8 | 1.10% | 2023-11-07 | 2026-06-17 |
| CVE-2023-32570 | VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit. | [email protected] | 5.9 | 0.74% | 2023-05-10 | 2026-06-17 |
| CVE-2022-41325 | An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions. | [email protected] | 7.8 | 0.65% | 2022-12-06 | 2026-06-17 |
| CVE-2021-25804 | A NULL-pointer dereference in "Open" in avi.c of VideoLAN VLC Media Player 3.0.11 can a denial of service (DOS) in the application. | [email protected] | 7.5 | 1.81% | 2021-07-26 | 2026-06-16 |
| CVE-2021-25803 | A buffer overflow vulnerability in the vlc_input_attachment_New component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. | [email protected] | 7.1 | 0.74% | 2021-07-26 | 2026-06-16 |
| CVE-2021-25802 | A buffer overflow vulnerability in the AVI_ExtractSubtitle component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. | [email protected] | 7.1 | 0.74% | 2021-07-26 | 2026-06-16 |
| CVE-2021-25801 | A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file. | [email protected] | 7.1 | 1.52% | 2021-07-26 | 2026-06-16 |
| CVE-2020-26664 | A vulnerability in EbmlTypeDispatcher::send in VideoLAN VLC media player 3.0.11 allows attackers to trigger a heap-based buffer overflow via a crafted .mkv file. | [email protected] | 7.8 | 1.54% | 2021-01-08 | 2026-07-08 |
| CVE-2020-13428 | A heap-based buffer overflow in the hxxx_AnnexB_to_xVC function in modules/packetizer/hxxx_nal.c in VideoLAN VLC media player before 3.0.11 for macOS/iOS allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted H.264 Annex-B video (.avi for example) file. | [email protected] | 7.8 | 2.39% | 2020-06-08 | 2026-06-16 |
| CVE-2019-19721 | An off-by-one error in the DecodeBlock function in codec/sdl_image.c in VideoLAN VLC media player before 3.0.9 allows remote attackers to cause a denial of service (memory corruption) via a crafted image file. NOTE: this may be related to the SDL_Image product. | [email protected] | 7.8 | 1.93% | 2020-05-15 | 2026-06-16 |
| CVE-2013-3564 | The web interface in VideoLAN VLC media player before 2.0.7 has no access control which allows remote attackers to view directory listings via the 'dir' command or issue other commands without authenticating. | [email protected] | 5.3 | 1.11% | 2020-02-06 | 2026-06-16 |
| CVE-2013-3565 | Multiple cross-site scripting (XSS) vulnerabilities in the HTTP Interface in VideoLAN VLC Media Player before 2.0.7 allow remote attackers to inject arbitrary web script or HTML via the (1) command parameter to requests/vlm_cmd.xml, (2) dir parameter to requests/browse.xml, or (3) URI in a request, which is returned in an error message through share/lua/intf/http.lua. | [email protected] | 6.1 | 1.58% | 2020-01-31 | 2026-06-16 |
| CVE-2014-9630 | The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c in VideoLAN VLC media player before 2.1.6 uses a stack-allocation approach with a size determined by arbitrary input data, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted length value. | [email protected] | 7.8 | 1.49% | 2020-01-24 | 2026-06-16 |
| CVE-2014-9629 | Integer overflow in the Encode function in modules/codec/schroedinger.c in VideoLAN VLC media player before 2.1.6 and 2.2.x before 2.2.1 allows remote attackers to conduct buffer overflow attacks and execute arbitrary code via a crafted length value. | [email protected] | 7.8 | 2.37% | 2020-01-24 | 2026-06-16 |