CVE-2026-25161 is a path traversal vulnerability classified under CWE-22 found in the alist file listing program developed by AlistGo. Alist supports multiple storage backends and is built using Gin and Solidjs frameworks. Versions prior to 3.57.0 contain a flaw in multiple file operation handlers that improperly limit pathname inputs. Authenticated attackers can inject directory traversal sequences (e.g., '../') into filename components, bypassing directory-level authorization checks. This enables unauthorized file operations such as deletion, movement, and copying of files across user boundaries within the same storage mount point. The vulnerability affects confidentiality by exposing or allowing deletion of files, integrity by permitting unauthorized modification or movement, and availability by enabling file removal. The flaw is remotely exploitable over the network with low attack complexity and does not require user interaction beyond authentication. The vulnerability was publicly disclosed and patched in version 3.57.0. No known exploits are currently reported in the wild, but the high CVSS score of 8.8 reflects the significant risk posed by this vulnerability if exploited.

For European organizations, this vulnerability poses a serious risk to data confidentiality, integrity, and availability, especially for those using alist to manage multi-storage environments. Attackers with valid credentials can escalate their privileges within the storage system, accessing or manipulating files belonging to other users. This can lead to data breaches, loss of critical files, disruption of business operations, and potential compliance violations under GDPR due to unauthorized data access or alteration. Organizations relying on alist for cloud or on-premises file management may face operational downtime and reputational damage if exploited. The vulnerability's network accessibility and lack of user interaction requirements increase the likelihood of exploitation in environments with weak authentication controls or insider threats.

The primary mitigation is to upgrade all affected alist instances to version 3.57.0 or later, where the vulnerability has been patched. Organizations should audit their current deployments to identify vulnerable versions and apply updates promptly. Additionally, implement strict access controls and monitoring on file operation logs to detect suspicious activities indicative of traversal attacks. Employ multi-factor authentication to reduce the risk of credential compromise. Network segmentation and limiting access to alist management interfaces can reduce exposure. Conduct regular security assessments and penetration testing focused on file operation handlers to ensure no residual path traversal issues remain. Finally, educate administrators and users about the risks of path traversal vulnerabilities and the importance of timely patching.