What is the CVSS score of CVE-2026-25161?

CVE-2026-25161 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Alist are affected by CVE-2026-25161?

Alist file management systems prior to version 3.57.0 are vulnerable to path traversal attacks that could allow unauthorized access to sensitive files outside intended directories.. A patch is available.

Is there a public PoC exploit available for CVE-2026-25161?

Yes, a public proof-of-concept exploit is available for CVE-2026-25161. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-25161?

Within 24 hours: Identify all Alist installations and their versions; assess which are internet-facing or accessible to untrusted users. Within 7 days: Apply vendor patch to upgrade all instances to version 3.57.0 or later; validate patch deployment across all systems. Within 30 days: Conduct file access audit to determine if exploitation occurred; review and strengthen access controls and file permission policies.

Alist CVE-2026-25161

HIGH

Path Traversal (CWE-22)

2026-02-04 security-advisories@github.com

GHSA-x4q4-7phh-42j9

Path Traversal Alist Suse

8.8

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 13, 2026 - 21:24 vuln.today

Public exploit code

Patch released

Feb 13, 2026 - 21:24 nvd

Patch available

CVE Published

Feb 04, 2026 - 20:16 nvd

HIGH 8.8

DescriptionGitHub Advisory

Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.

AnalysisAI

Path traversal in Alist prior to version 3.57.0 allows authenticated users to manipulate filename parameters and bypass directory restrictions within the same storage mount. Attackers can exploit this vulnerability to perform unauthorized file operations including deletion, movement, and copying across user boundaries. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as valid user

Delivery

Inject path traversal sequences in filename

Exploit

Bypass directory authorization checks

Execution

Access files outside permitted scope

Impact

Remove/move/copy unauthorized files

Access

Authenticate as valid user

Delivery

Inject path traversal sequences in filename

Exploit

Bypass directory authorization checks

Execution

Access files outside permitted scope

Impact

Remove/move/copy unauthorized files

Vulnerability AssessmentAI

Exploitation	Authenticated user account required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation	A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Alist installations and their versions; assess which are internet-facing or accessible to untrusted users. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

CVE-2026-25161 vulnerability details – vuln.today

Back

Alist CVE-2026-25161

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code