Platform
go
Component
github.com/alist-org/alist
Fixed in
3.57.1
3.57.0
CVE-2026-25161 describes a Path Traversal vulnerability affecting alist, a file sharing and storage application. This vulnerability allows attackers to potentially read arbitrary files on the server, leading to sensitive data exposure. The vulnerability impacts versions of alist prior to 3.57.0, and a patch has been released to address the issue.
The Path Traversal vulnerability in alist allows an attacker to bypass intended access restrictions and read files outside of the intended directory. This could include sensitive configuration files, source code, or even user data. Successful exploitation could lead to the disclosure of credentials, API keys, or other confidential information. The impact is amplified if the alist instance is used to store sensitive data or is integrated with other systems, as an attacker could potentially gain access to broader resources through this initial foothold. This vulnerability is similar in nature to other path traversal flaws, where attackers manipulate file paths to access unauthorized resources.
CVE-2026-25161 was publicly disclosed on 2026-02-05. There is currently no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is pending evaluation. Public proof-of-concept exploits are not yet widely available, but the nature of Path Traversal vulnerabilities makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.03% (7% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25161 is to upgrade alist to version 3.57.0 or later. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting file access permissions and implementing stricter input validation on file paths. Web application firewalls (WAFs) configured with rules to detect and block path traversal attempts can also provide an additional layer of defense. Monitor alist logs for suspicious file access patterns, particularly requests containing directory traversal sequences like ../.
Actualice Alist a la versión 3.57.0 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal. Descargue la última versión desde el sitio web oficial o el repositorio de AlistGo.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25161 is a Path Traversal vulnerability in alist (github.com/alist-org/alist) allowing attackers to read arbitrary files on the server.
You are affected if you are running alist versions prior to 3.57.0. Upgrade to the latest version to mitigate the risk.
Upgrade alist to version 3.57.0 or later. Consider temporary workarounds like restricting file access and using a WAF if immediate upgrade is not possible.
There is currently no indication of active exploitation campaigns, but the vulnerability's nature makes exploitation likely.
Refer to the alist GitHub repository and release notes for the official advisory and details on the fix: https://github.com/alist-org/alist
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.