CVE-2026-25161HIGH 8.8EPSS p49.1%

CVE-2026-25161CVE-2026-25161

Description

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.72% probability of exploitation · percentile 49.1% · 2026-06-19T12:03:05Z
Published2026-02-04
Last modified2026-02-13

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e
  2. https://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25059
CVE
CVE-2026-25890
CVE
CVE-2026-39981
CVE
CVE-2026-32684
CVE
CVE-2025-2305
CVE
CVE-2026-36762
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.