By injection malicious code into subtitle files, hackers are able to take full control of a device that loads the malicious subtitles. The exploit affects four of the biggest media streaming services: VLC, Kodi, Popcorn Time, and Strem.io.
https://www.notebookcheck.net/Vulnerability-found-in-subtitle-system-of-VLC-Kodi-and-other-media-players.223900.0.html