The Gentoo tree has an updated version of video/mpv-0.27.2 which fixes CVE-2018-6360: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d329da2cb0aba9e7b9289a3c0604668542571478 As vapoursynth is disabled hardcoded in the above ebuild, the latest (non-live) of mpv with vapoursynth is media-video/mpv-0.27.0.20171027 which is very old and still contains the CVE: See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6360