CVE-2026-11416 – MoviePilot Path Traversal via Cloud Storage Download Handlers

CVE ID :CVE-2026-11416

Published : June 5, 2026, 10:16 p.m. | 16 minutes ago

Description :MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.

Severity: 8.1 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-9281 – Master Addons For Elementor

CVE-2026-9008 – Page-list

CVE-2026-8901 – Integration for Freshsales

CVE-2026-8438 – All-In-One Security (AIOS)