Description
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.
Published: 2026-02-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized file removal, movement, and copying across user boundaries
Action: Immediate Patch
AI Analysis

Impact

Alist is vulnerable to a path traversal flaw in several file operation handlers. An attacker who has authenticated access can inject traversal sequences into filename components, which allows that attacker to bypass ordinary directory‑level authorization checks. The consequence is that the attacker can delete, move, or copy files across user boundaries within the same storage mount, effectively erasing or exfiltrating other users' data without permissions.

Affected Systems

The vulnerability applies to AlistGo: Alist deployments running any version before 3.57.0. Versions 3.57.0 and later contain the fix and are not affected.

Risk and Exploitability

The CVSS score is 8.8, indicating a high severity. The EPSS score is below 1 %, showing that exploitation likelihood is currently low but not nonexistent, and the flaw is not yet listed in CISA’s KEV catalog. Exploitation requires a legitimate authenticated session; with such access the attacker can craft file names containing traversal sequences and execute dele‑, move‑, or copy‑type operations, thereby compromising data integrity and potentially confidentiality across users.

Generated by OpenCVE AI on April 17, 2026 at 23:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Alist to version 3.57.0 or newer; this releases the patch that removes the traversal vectors.
  • If an upgrade is not immediately possible, restrict the permissions of authenticated users to prevent them from performing delete, move, or copy operations, thereby limiting the impact of the traversal flaw.
  • Apply a file‑system or application‑layer filter to reject filenames containing ".." or other traversal patterns until the official update can be applied.

Generated by OpenCVE AI on April 17, 2026 at 23:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x4q4-7phh-42j9 Alist vulnerable to Path Traversal in multiple file operation handlers
History

Fri, 13 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alistgo:alist:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Alistgo
Alistgo alist
Vendors & Products Alistgo
Alistgo alist

Wed, 04 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.
Title Alist vulnerable to Path Traversal in multiple file operation handlers
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Alistgo Alist
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-05T14:32:40.886Z

Reserved: 2026-01-29T15:39:11.822Z

Link: CVE-2026-25161

cve-icon Vulnrichment

Updated: 2026-02-05T14:23:11.853Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T20:16:06.870

Modified: 2026-02-13T21:24:02.773

Link: CVE-2026-25161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:30:15Z

Weaknesses