Videolan Videolan

  1. Vendors
  2. Videolan

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Videolan product.

RSS Feeds for Videolan security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Videolan products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Videolan Sorted by Most Security Vulnerabilities since 2018

Videolan Vlc Media Player35 vulnerabilities

Videolan Dav1d2 vulnerabilities

Videolan Vlc2 vulnerabilities

Videolan Vlc For Mobile1 vulnerability

By the Year

In 2026 there have been 3 vulnerabilities in Videolan with an average score of 4.5 out of ten. Videolan did not have any published security vulnerabilities last year. That is, 3 more vulnerabilities have already been reported in 2026 as compared to last year.




Year Vulnerabilities Average Score
2026 3 4.47
2025 0 0.00
2024 2 8.30
2023 3 7.73
2022 1 7.80
2021 5 7.32
2020 2 7.80
2019 17 6.37
2018 4 7.85

It may take a day or so for new Videolan vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Videolan Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2026-26227 Feb 26, 2026
VLC-Android <3.7.0: OTP Auth Bypass via Ratelimit Failure VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password (OTP) verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockout within the OTP validity window, allowing an attacker with network reachability to the server to repeatedly attempt OTP verification until a valid user_session cookie is issued. Successful exploitation results in unauthorized access to the Remote Access interface, limited to media files explicitly shared by the VLC for Android user.
Vlc
CVE-2026-26228 Feb 26, 2026
VideoLAN VLC Android <3.7.0 path traversal via Remote Access GET /download VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalization or directory containment checks, allowing an authenticated attacker with network reachability to the Remote Access Server to request files outside the intended directory. The impact is bounded by the Android application sandbox and storage restrictions, typically limiting exposure to app-internal and app-specific external storage.
Vlc
CVE-2025-51602 Jan 16, 2026
VLC 3.0.22 mmstu.c OOB read via MMS 0x01 mmstu.c in VideoLAN VLC media player before 3.0.22 allows an out-of-bounds read and denial of service via a crafted 0x01 response from an MMS server.
Vlc Media Player
CVE-2018-9341 Nov 19, 2024
VLC Media Player: Out-of-Bounds Write in impeg2d_mc_fullx_fully Function In impeg2d_mc_fullx_fully of impeg2d_mc.c there is a possible out of bound write due to missing bounds check. This could lead to remote arbitrary code execution with no additional execution privileges needed. User interaction is needed for exploitation.
Vlc Media Player
CVE-2024-1580 Feb 19, 2024
AV1 Integer Overrun in dav1d decoder pre1.4.0 An integer overflow in dav1d AV1 decoder that can occur when decoding videos with large frame size. This can lead to memory corruption within the AV1 decoder. We recommend upgrading past version 1.4.0 of dav1d.
Dav1d
CVE-2023-47359 Nov 07, 2023
VLC Packet Parser Heap Overflow before 3.0.20 (CVE-2023-47359) Videolan VLC prior to version 3.0.20 contains an incorrect offset read that leads to a Heap-Based Buffer Overflow in function GetPacket() and results in a memory corruption.
Vlc Media Player
CVE-2023-47360 Nov 07, 2023
VLC Media Player <3.0.20 Integer Underflow in Packet Length Videolan VLC prior to version 3.0.20 contains an Integer underflow that leads to an incorrect packet length.
Vlc Media Player
CVE-2023-32570 May 10, 2023
dav1d <1.2.0 Thread_Task Race -> Crash (dav1d_decode_frame_exit) VideoLAN dav1d before 1.2.0 has a thread_task.c race condition that can lead to an application crash, related to dav1d_decode_frame_exit.
Dav1d
CVE-2022-41325 Dec 06, 2022
Integer Overflow in VLC VNC Module pre-3.0.17.4 An integer overflow in the VNC module in VideoLAN VLC Media Player through 3.0.17.4 allows attackers, by tricking a user into opening a crafted playlist or connecting to a rogue VNC server, to crash VLC or execute code under some conditions.
Vlc Media Player
CVE-2021-25801 Jul 26, 2021
A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 A buffer overflow vulnerability in the __Parse_indx component of VideoLAN VLC Media Player 3.0.11 allows attackers to cause an out-of-bounds read via a crafted .avi file.
Vlc Media Player
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.