Unnecessary journalist fluff around the source material from Mozilla.
CVE-2023-35674 No real details published yet but Google discussed it in their September security bulletin.
PSA: Android just published a patch for a very similar vulnerability in their September Security release. You should update your Android devices ASAP.
It’s literally been 3 days since Android had a vulnerability of this exact nature: remote code execution with zero user interaction required (CVE-2023-35674).
Every piece of software has vulnerabilities lurking within. What matters is the velocity at which vendors address and resolve those vulnerabilities. Apple and Google are both exemplary at getting patches out quickly.
No, VLC is its own thing however it uses libavcodec from the FFmpeg project for a large number of the codecs included in VLC. But VLC is far from being just an FFmpeg GUI.