CVE-2026-11416

Name of the Vulnerable Software and Affected Versions MoviePilot (affected versions not specified)

Description Path traversal exists in the AliPan, U115, and Rclone cloud storage download handlers. The issue occurs because the local destination path is created by concatenating the configured download directory with a filename retrieved from remote cloud API metadata without performing path validation or basename normalization. An attacker controlling a filename returned by a remote cloud storage API can use traversal sequences such as ../ to write downloaded content outside the intended directory, which may lead to the overwriting of arbitrary configuration or plugin files accessible by the application process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.