CVE-2026-25161
Published: 04 February 2026
Summary
CVE-2026-25161 is a high-severity Path Traversal (CWE-22) vulnerability in Alistgo Alist. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 8.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents path traversal attacks by validating filename components in file operation handlers to reject traversal sequences like '../'.
Enforces approved directory-level access authorizations, blocking authenticated attackers from unauthorized file removal, movement, or copying across user boundaries.
Restricts information inputs to file handlers by limiting special characters and sequences that enable path traversal bypasses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal directly enables unauthorized file removal (maps to Data Destruction and Indicator Removal via File Deletion) plus movement/copying across boundaries (maps to Stored Data Manipulation).
NVD Description
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal…
more
sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0.
Deeper analysisAI
CVE-2026-25161 is a path traversal vulnerability (CWE-22) in Alist, a file list program that supports multiple storages and is powered by Gin and Solidjs. The flaw affects multiple file operation handlers in versions prior to 3.57.0, allowing attackers to bypass directory-level authorization by injecting traversal sequences into filename components.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables unauthorized file removal, movement, and copying across user boundaries within the same storage mount, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS v3.1 base score is 8.8 (S:U).
The issue has been addressed in Alist version 3.57.0. Additional details are available in the GitHub security advisory at https://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9 and the patching commit at https://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e.
Details
- CWE(s)