CVE-2026-25161
HIGH8.8EPSS 0.03%Alist vulnerable to Path Traversal in multiple file operation handlers in github.com/alist-org/alist
Published: 2/4/2026Modified: 2/5/2026
Description
Alist vulnerable to Path Traversal in multiple file operation handlers in github.com/alist-org/alist
Affected packages (3)
- Go/github.com/alist-org/alistfrom 0
- Go/github.com/alist-org/alist/v3from 0, < 3.57.0
- Go/github.com/alist-org/alist/v3from 0, < 3.57.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-25161
- PATCHhttps://github.com/AlistGo/alist
- WEBhttps://github.com/AlistGo/alist/blob/b4d9beb49cba399842a54fcc33bc95a4a09b7bd4/server/handles/fsbatch.go#L188-L189
- WEBhttps://github.com/AlistGo/alist/blob/b4d9beb49cba399842a54fcc33bc95a4a09b7bd4/server/handles/fsmanage.go#L165-L166
- WEBhttps://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e
- WEBhttps://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9