Unrestricted Upload of File with Dangerous Type
alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.
Advisories for Golang/Github.com/Alist-Org/Alist/V3 package
2023
2022
Alist vulnerable to Path Traversal
Alist v3.4.0 is vulnerable to Directory Traversal,
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Alist v3.5.1 is vulnerable to Cross Site Scripting (XSS) via the bulletin board.
AList vulnerable to Improper Preservation of Permissions
Alist v3.4.0 is vulnerable to File Upload. A user with only file upload permission can upload any file to any folder (even a password protected one).