Home

Description

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-05 | Updated 2026-06-05 | Assigner VulnCheck




HIGH: 8.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

HIGH: 7.2CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
unknown

Any version before 2.13.4
affected

Credits

Yu Sun finder

References

github.com/jxxghp/MoviePilot product

github.com/jxxghp/MoviePilot/issues/5894 issue-tracking

github.com/...ommit/a0b3800f6bf4857bf4f889a63d44350eb8380f28 patch

cve.org (CVE-2026-11416)

nvd.nist.gov (CVE-2026-11416)

Download JSON