A format string vulnerability in mpv up to and including 0.33.0 allows user-assisted remote malicious users to achieve code execution via a crafted m3u playlist file.
A security issue was found in mpv before version 0331 An unverified format string, provided by the user as part of mf:// URI, could result in undefined behavior or a buffer overflow ...