2024

2023

2022

2021

2020

2019

2018

2017

CVE-2017-16069 (v3: 7.5) 7 Jun 2018
nodeffmpeg was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVE-2017-9993 (v3: 7.5) 28 Jun 2017
FFmpeg before 2.8.12, 3.0.x and 3.1.x before 3.1.9, 3.2.x before 3.2.6, and 3.3.x before 3.3.2 does not properly restrict HTTP Live Streaming filename extensions and demuxer names, which allows attackers to read arbitrary files via crafted playlist data.

2016

CVE-2016-7555 (v3: 5.5) 23 Dec 2016
The avi_read_header function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to memory leak when decoding an AVI file that has a crafted "strh" structure.
CVE-2016-1897 (v3: 5.5) 15 Jan 2016
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
CVE-2016-1898 (v3: 5.5) 15 Jan 2016
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.

2015