CVE-2026-11416
Deferred Deferred - Pending Action
Path Traversal in MoviePilot Cloud Storage Handlers

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: VulnCheck

Description
MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-11416
EUVD
EUVD-2026-34920
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a path traversal issue in MoviePilot's AliPan, U115, and Rclone cloud storage download handlers. The problem arises because the local destination path for downloaded files is created by simply joining the configured download directory with a filename obtained directly from remote cloud API metadata. There is no normalization or validation of the filename to remove or block traversal sequences like "../".

An attacker who can control the filename returned by the remote cloud storage API can exploit this by including traversal sequences in the filename. This causes the downloaded content to be saved outside the intended download directory, potentially overwriting arbitrary files on the system, including important configuration or plugin files accessible by the application.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to write files outside the designated download directory. This can lead to overwriting critical files such as configuration or plugin files used by the application.

  • Potential unauthorized modification or corruption of application files.
  • Possible disruption of application functionality or stability.
  • Increased risk of further exploitation if critical files are overwritten.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11416. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart