HIGH 8.1

CVE-2026-11416: MoviePilot Path Traversal in Cloud Storage Download Handlers

MoviePilot, a media download application, has a critical flaw in how it handles files downloaded from cloud storage services like AliPan, U115, and Rclone. When a file is downloaded, the application takes the filename provided by the cloud service and directly uses it to determine where to save the file locally. An attacker who compromises or manipulates the cloud storage metadata can craft a filename containing path traversal sequences (like ../) to trick MoviePilot into writing files outside the intended download directory. This could allow overwriting sensitive application files, configuration files, or plugins, potentially compromising the entire system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Weaknesses (CWE)
CWE-22
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11416 exploits insufficient input validation in MoviePilot's cloud storage download handlers for AliPan, U115, and Rclone integrations. The vulnerability stems from unsafe path construction where user-controlled filenames from cloud API responses are concatenated directly with the configured download directory without basename normalization or validation. An authenticated attacker capable of controlling filenames in the remote cloud storage metadata can inject directory traversal sequences to cause arbitrary file writes at paths accessible to the MoviePilot process. The CVSS 3.1 score of 8.1 (HIGH) reflects the requirement for prior authentication (PR:L) but acknowledges significant integrity and availability impact potential.

Business impact

Organizations relying on MoviePilot for media management face risk of system compromise through file overwrite attacks. Attackers could replace configuration files to alter application behavior, inject malicious plugin code to achieve persistent execution, or corrupt critical files to disrupt service availability. The impact is particularly severe in shared or multi-user environments where MoviePilot processes user requests, as compromised files could affect all downstream operations. Remediation delays increase exposure window for targeted attacks against high-value media libraries or integrated backup systems.

Affected systems

MoviePilot installations using cloud storage integration features—specifically AliPan, U115, or Rclone handlers—are affected. The vulnerability requires an authenticated user or attacker with cloud storage account access to manipulate filenames in the remote metadata. Systems where MoviePilot runs with elevated privileges or where the application directory is world-writable face heightened risk of lateral privilege escalation or system-wide compromise.

Exploitability

Exploitation requires authentication (PR:L per CVSS vector) and ability to control filenames returned by the targeted cloud storage service. This could be achieved through compromised cloud credentials, insider threat, or in cases where an attacker controls the cloud storage account. The attack does not require user interaction (UI:N) and operates over the network (AV:N). Once the malicious filename is crafted, exploitation is straightforward: initiate a download operation and MoviePilot's unsafe concatenation logic automatically triggers the write to the traversal path. No special tools or public exploits are required; standard cloud storage access suffices.

Remediation

Implement immediate basename normalization and path validation for all downloaded filenames across AliPan, U115, and Rclone handlers. Apply the following controls: (1) extract only the filename component using secure basename functions, rejecting any path separators or traversal sequences; (2) validate that the resolved destination path remains within the configured download directory using realpath or equivalent canonicalization; (3) sanitize or reject filenames containing ../, .., or other traversal patterns; (4) consider implementing a whitelist of acceptable filename characters. Verify the fix prevents traversal in all three affected handlers. Update MoviePilot to a patched version once available from the vendor.

Patch guidance

Verify and apply the latest security update from MoviePilot's official release channel. Confirm the update addresses path traversal in all three cloud storage handlers (AliPan, U115, Rclone). Prior to patching, restrict cloud storage integration features or disable unused handlers if operationally feasible. After patching, clear any locally cached cloud metadata and test download functionality to confirm filenames are correctly normalized. Organizations should prioritize this patch for systems with direct internet exposure or those handling sensitive media archives.

Detection guidance

Monitor MoviePilot process logs and filesystem activity for unusual file write patterns: look for downloaded files appearing in directories outside the configured download path, or write attempts to system configuration directories, plugin directories, or parent directories of the download folder. Implement file integrity monitoring on MoviePilot's configuration and plugin directories to detect unauthorized modifications. Cloud storage audit logs may reveal suspicious filename patterns containing ../ or unusual path-like sequences in filenames. Network-level detection is limited since the exploit occurs after download initiation; focus on post-download file system forensics.

Why prioritize this

This vulnerability merits high priority due to its potential for system compromise through file overwrite, the low barrier to exploitation for authenticated users, and the direct accessibility of the attack surface (cloud storage download handlers). The CVSS 8.1 severity, combined with integrity and availability impact (I:H/A:H), reflects the serious nature of arbitrary file writes. Organizations with MoviePilot integrated into automated media workflows or those running it with elevated privileges should treat this as critical.

Risk score, explained

The CVSS 3.1 score of 8.1 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L), requiring only low-level authentication (PR:L) and no user interaction (UI:N). The high impact on integrity (I:H) and availability (A:H) drives the severity classification, as successful exploitation allows overwriting arbitrary files and potentially rendering the application or system inoperable. The requirement for prior authentication prevents a score of 9.0 or higher, but the ease of exploitability and destructive potential justify the HIGH rating.

Frequently asked questions

Do I need valid cloud storage credentials to exploit this vulnerability?

Yes, the vulnerability requires an authenticated context (PR:L in the CVSS vector). An attacker would need either compromised cloud storage credentials or the ability to control filenames at the cloud storage provider level. However, legitimate users with valid cloud accounts could also inadvertently trigger the vulnerability if a cloud storage account is compromised.

What files are at risk of being overwritten?

Any files writable by the MoviePilot process are at risk, including configuration files, plugin files, application binaries (if the process has write permission), and files in parent directories of the download folder. The exact scope depends on the permissions granted to the MoviePilot process and the filesystem structure. In worst-case scenarios, attackers could achieve code execution by overwriting plugin or script files loaded by MoviePilot.

Is this vulnerability being exploited in the wild?

There is no current indication of active exploitation (KEV status is not listed). However, path traversal vulnerabilities are well-understood attack vectors and tools to craft malicious filenames are readily available. Organizations should not assume lack of current exploitation means low risk; timely patching remains critical.

Can I mitigate this without patching?

Partial mitigation is possible: disable or restrict access to the affected cloud storage handlers (AliPan, U115, Rclone) if not operationally essential, run MoviePilot with minimal required privileges, and implement strict access controls on cloud storage accounts. However, these are temporary measures; applying the vendor patch once available is the definitive remediation.

This analysis is based on the published CVE description and CVSS vector as of the modification date (2026-06-17). Specific patch version numbers, affected product versions, and detailed remediation steps should be verified against official MoviePilot security advisories and release notes. No public exploit code is known to the authors at time of publication. This assessment is provided for informational purposes to support security decision-making and should be combined with your organization's risk assessment and threat modeling practices. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).