CVE-2026-25161

Name of the Vulnerable Software and Affected Versions Alist versions prior to 3.57.0

Description Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. The application contains a path traversal issue in multiple file operation handlers. An authenticated attacker can bypass directory-level authorization by injecting traversal sequences into filename components. This allows unauthorized file removal, movement, and copying across user boundaries within the same storage mount. The vulnerability affects file operations and potentially compromises data integrity and confidentiality.

Recommendations Update to version 3.57.0 or later.