CVE-2026-25161: Alist vulnerable to Path Traversal in multiple file operation handlers
The application contains a Path Traversal vulnerability (CWE-22) in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount.
References
- github.com/AlistGo/alist
- github.com/AlistGo/alist/blob/b4d9beb49cba399842a54fcc33bc95a4a09b7bd4/server/handles/fsbatch.go
- github.com/AlistGo/alist/blob/b4d9beb49cba399842a54fcc33bc95a4a09b7bd4/server/handles/fsmanage.go
- github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e
- github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9
- github.com/advisories/GHSA-x4q4-7phh-42j9
- nvd.nist.gov/vuln/detail/CVE-2026-25161
Code Behaviors & Features
Detect and mitigate CVE-2026-25161 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →