Description
MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.
Published: 2026-06-05
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers. The application concatenates the configured download directory with a filename obtained directly from remote cloud API metadata, without performing basename normalization or path validation. An attacker who can influence the filename returned by the cloud API can embed traversal sequences such as "../", causing the downloaded content to be written outside the intended directory. This flaw permits the overwriting of arbitrary files that are writable by the MoviePilot process, including configuration files and plugin files, and thereby disrupts the application or modifies its behaviour.

Affected Systems

The affected product is MoviePilot developed by jxxghp. All releases that include the AliPan, U115, and Rclone download handlers are vulnerable; a specific version range is not provided, so the issue applies to the current stable version and any prior releases that did not incorporate the patch.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, reflecting the potential to compromise application integrity. The EPSS score is not available, leaving the exact likelihood of exploitation uncertain, but the ability to overwrite arbitrary files is a significant concern. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remotely controllable through the cloud storage interface, with no requirement for local privileged access. Based on the description, it is inferred that overwriting critical files could enable code execution if the replaced files are executed or trigger plugin reloads, although this outcome is not explicitly confirmed by the advisory.

Generated by OpenCVE AI on June 6, 2026 at 00:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest MoviePilot release or merge the fix provided in the commit https://github.com/jxxghp/MoviePilot/commit/a0b3800f6bf4857bf4f889a63d44350eb8380f28.
  • If an immediate update is not possible, configure the application to sanitize filenames obtained from cloud APIs, limiting them to base names only and rejecting any traversal sequences; alternatively, disable the AliPan, U115, and Rclone download handlers until a patch is applied.
  • Place the configured download directory in a protected location with permissions that allow write access only to the MoviePilot process, thereby restricting the impact of any potential overwrite.

Generated by OpenCVE AI on June 6, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 06 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Jxxghp
Jxxghp moviepilot
Vendors & Products Jxxghp
Jxxghp moviepilot

Fri, 05 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.
Title MoviePilot Path Traversal via Cloud Storage Download Handlers
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Jxxghp Moviepilot
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-05T21:42:49.274Z

Reserved: 2026-06-05T19:08:04.224Z

Link: CVE-2026-11416

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T22:16:47.127

Modified: 2026-06-05T22:16:47.127

Link: CVE-2026-11416

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-06T01:00:09Z

Weaknesses