9 matches found
CVE-2022-26533
CVE-2022-26533 concerns Alist v2.1.0 and below, where an XSS vulnerability exists via /i/:data/ipa.plist. The root cause is improper input handling in the Plist function (other.go), allowing injected JavaScript. Affected versions: v2.0.10–2.1.0; mitigation/fix is stated as applied in version 2.1....
CVE-2024-47067
CVE-2024-47067 affects AList, a file list program with multiple storages. The endpoint /i/:link_name reflects user input in an application/xml response, introducing a reflected XSS vulnerability via HTML/XHTML tags. The issue is fixed in version 3.29.0.
CVE-2022-45969
CVE-2022-45969 targets Alist v3.4.0 and enables a Directory Traversal via bypass of the base path restriction, allowing an attacker to access or place files at arbitrary paths. Evidence from multiple sources confirms the affected product/version and the bypass path, with high-severity impacts (Co...
CVE-2022-45968
Alist v3.4.0 is affected by a File Upload vulnerability where a user with only upload permission can place files into any folder, including password-protected ones. This CVE entry (CVE-2022-45968) is corroborated by multiple connected records (Red Hat, GHSA, OSV, NVD) confirming the same vulnerab...
CVE-2022-45970
CVE-2022-45970 affects Alist v3.5.1 with a Cross-Site Scripting (XSS) vulnerability in the bulletin board component. The root cause is described in a GitLab YAML as improper neutralization of input during web page generation. This enables arbitrary script execution in the context of users visitin...
CVE-2023-31726
AList 3.15.1 is affected by an Incorrect Access Control vulnerability that can lead to information disclosure. Evidence across multiple sources (NVD, Red Hat CVE page, OSV) confirms the vulnerability exists and that the impact is high for confidentiality, with network attack and no required user ...
CVE-2023-33498
CVE-2023-33498 affects the AList project (
CVE-2026-25160
CVE-2026-25160 affects Alist prior to 3.57.0, where TLS certificate verification is disabled by default for all outgoing storage communications. This insecure TLS configuration enables potential Man-in-the-Middle (MitM) attacks, allowing interception, decryption, and possible tampering of data du...
CVE-2026-25161
CVE-2026-25161 affects Alist up to version 3.56.x, with a path traversal flaw in multiple file operation handlers. By injecting traversal sequences into filename components, an authenticated user can bypass directory-level authorisation and perform unauthorised removal, movement, or copying of fi...