Skip to main content

MoviePilot EUVDEUVD-2026-34920

| CVE-2026-11416 HIGH
Path Traversal (CWE-22)
2026-06-05 VulnCheck GHSA-cpw6-f634-6rvj
7.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Jun 05, 2026 - 22:27 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 05, 2026 - 22:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 05, 2026 - 22:22 vuln.today
cvss_changed
CVSS changed
Jun 05, 2026 - 22:22 NVD
8.1 (HIGH) 7.2 (HIGH)
Source Code Evidence Fetched
Jun 05, 2026 - 22:15 vuln.today
Analysis Generated
Jun 05, 2026 - 22:15 vuln.today

DescriptionCVE.org

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.

AnalysisAI

Path traversal in MoviePilot's AliPan, U115, Rclone, and SMB cloud storage download handlers allows an attacker who controls remote filenames to write files outside the configured download directory. The flaw stems from unsanitized concatenation of filenames returned by remote cloud APIs, enabling overwrite of configuration files, plugins, or other files accessible to the application process. No public exploit identified at time of analysis, but a vendor patch is available via upstream commit a0b3800.

Technical ContextAI

MoviePilot is a Python-based media automation tool (jxxghp/MoviePilot) that integrates with cloud storage providers including AliPan (Aliyun Drive), U115 (115 Cloud), Rclone, and SMB. The vulnerable code in app/modules/filemanager/storages/*.py constructed local download paths via (path or settings.TEMP_PATH) / fileitem.name - directly joining the configured directory with a filename obtained from remote cloud storage metadata. This is a textbook CWE-22 (Path Traversal) instance: because pathlib's / operator does not normalize or sanitize a trailing component containing ../ sequences, a malicious filename like ../../etc/config.yaml resolves outside the intended base directory. The patch introduces _safe_download_name (using PurePosixPath(...).name to strip directory components) and _build_download_path (which additionally calls resolve().relative_to(path.resolve()) to enforce containment).

RemediationAI

Upstream fix available (commit a0b3800f6bf4857bf4f889a63d44350eb8380f28); released patched version not independently confirmed - pull the latest MoviePilot main branch or the first tagged release containing this commit from https://github.com/jxxghp/MoviePilot. The fix adds basename normalization via PurePosixPath().name and a resolve()/relative_to() containment check in a new _build_download_path helper applied to AliPan, U115, Rclone, and SMB handlers. As compensating controls until upgrade, restrict MoviePilot to cloud accounts and shared folders you fully control (avoid ingesting public or third-party-shared content), run the MoviePilot process as an unprivileged user with the download directory on a dedicated filesystem or bind mount so traversal cannot reach configuration paths, and make the MoviePilot config and plugin directories read-only to the runtime user (trade-off: blocks legitimate in-app config writes and plugin installs). Monitor for unexpected files appearing under MoviePilot's app, config, or plugin directories.

Share

EUVD-2026-34920 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy