HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11416Published Modified CNA VulnCheck

CVE-2026-11416: MoviePilot Path Traversal via Cloud Storage Download Handlers

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename normalization or path validation. An attacker who controls a filename returned by a remote cloud storage API can include traversal sequences ../ in the filename to cause downloaded content to be written outside the configured download directory, potentially overwriting arbitrary files including configuration or plugin files reachable by the application process.

Metrics

CVSS v4.0
7.2
Severity
HIGH
Fixed in
2.13.4
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Path traversal vulnerability in MoviePilot affects the AliPan, U115, and Rclone cloud storage download handlers. The vulnerability is reachable over the network by any authenticated low-privilege user; no special account is needed beyond a valid login. Successful exploitation lets an attacker write arbitrary files outside the configured download directory, including overwriting configuration or plugin files accessible to the application process, which can lead to full application compromise. A patched-image rebuild at version 2.13.4 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11416 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from MoviePilot base layers. Any image carrying a MoviePilot version below 2.13.4 is flagged automatically during both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 7.2 HIGH and surfaces it accordingly in each customer environment's finding queue, weighted against that environment's configured compliance policies. Routing rules direct the alert to the team or inbox designated for high-severity container findings within each customer org.

Available
Patch

A patched-image rebuild at MoviePilot 2.13.4 becomes available on HarborGuard once the fix version is confirmed in the upstream package feed. For customers who have auto-remediation enabled, HarborGuard performs the rebuild, runs the regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable download handlers are exposed over the network, so an attacker must be able to reach the MoviePilot service remotely to interact with the cloud storage API paths.

  • AuthenticationRequired

    A valid low-privilege account is sufficient; no administrative rights are needed to trigger the vulnerable download handler code paths.

  • Victim interactionNot required

    No action from another user or administrator is required; the attacker can trigger the write directly through their own authenticated requests.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions, special memory layout, or environmental prerequisites are needed beyond controlling a filename returned by the remote cloud storage API.

Blast Radius

  • Attacker writes arbitrary files to any path reachable by the MoviePilot process, bypassing the intended download directory boundary.
  • Overwriting application configuration files enables persistent unauthorized changes to MoviePilot behavior or credentials.
  • Overwriting plugin files or scripts that the application loads at runtime can achieve code execution within the application process.
  • The availability of the MoviePilot service is disrupted if critical runtime files are corrupted or replaced with malformed content.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-11416 runs against every image in connected registries and CI pipelines, with results surfaced in the high-severity finding queue immediately after CVE ingestion. For customers who opt into auto-remediation, HarborGuard triggers a rebuild of affected images at MoviePilot 2.13.4, runs regression tests against the rebuilt image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual review before merge, the rebuilt image and test results are staged and waiting for approval. Until the patched image is deployed, compensating controls worth considering include restricting the MoviePilot service account's filesystem write permissions to only the designated download directory, applying network policy to limit which principals can authenticate to the cloud storage handler endpoints, and auditing plugin and configuration directories for unexpected file modifications.

See how HarborGuard automates this

Fix available

2.13.4
Patch commits
Affected packages
  • jxxghp / MoviePilot
    < 2.13.4 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References