Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| n/a | n/a | affected |
|
No data.
No data.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2022-1460 | Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist. |
 Github GHSA |
GHSA-jpj5-hg26-6jgc | Cross-site Scripting in Alist |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
| Link | Providers |
|---|---|
| https://github.com/Xhofe/alist/issues/645 |
|
History
Fri, 13 Feb 2026 21:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Alistgo
Alistgo alist |
|
| CPEs | cpe:2.3:a:alistgo:alist:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Alist Project
Alist Project alist |
Alistgo
Alistgo alist |
Projects
Sign in to view the affected projects.
MITRE
Status: PUBLISHED
Assigner: mitre
Published:
Updated: 2024-08-03T05:03:32.964Z
Reserved: 2022-03-07T00:00:00
Link: CVE-2022-26533
Vulnrichment
No data.
NVD
Status : Modified
Published: 2022-03-12T01:15:35.843
Modified: 2026-02-13T21:18:02.773
Link: CVE-2022-26533
Redhat
No data.
OpenCVE Enrichment
No data.
Weaknesses