CVE-2026-11416 is a path traversal vulnerability (CWE-22) in the jxxghp MoviePilot application affecting the AliPan, U115, and Rclone cloud storage download handlers. The issue occurs because the application concatenates the configured download directory path with filenames obtained from remote cloud storage APIs without performing basename normalization or path validation. This allows an attacker controlling the remote filename metadata to include directory traversal sequences ('../'), causing files to be written outside the intended download directory. This can lead to overwriting arbitrary files, including configuration or plugin files accessible by the application process, potentially impacting the integrity and availability of the system.

Exploitation of this vulnerability allows an attacker to overwrite arbitrary files on the system running MoviePilot by manipulating filenames returned from remote cloud storage APIs. This can compromise the integrity of application files such as configuration or plugin files and may also affect availability by overwriting critical files. The CVSS score of 8.1 reflects a high severity with network attack vector, low attack complexity, requiring low privileges, no user interaction, and impacts on integrity and availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting or validating filenames returned from remote cloud storage APIs before use, or limit the privileges of the application process to minimize potential damage from file overwrites. Avoid using untrusted cloud storage sources or filenames that could be manipulated.