CVE-2022-26533 in Alist
Summary
by MITRE • 03/12/2022
Alist v2.1.0 and below was discovered to contain a cross-site scripting (XSS) vulnerability via /i/:data/ipa.plist.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/13/2026
The vulnerability identified as CVE-2022-26533 represents a critical cross-site scripting flaw in Alist versions 2.1.0 and earlier, specifically within the /i/:data/ipa.plist endpoint. This vulnerability stems from inadequate input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before rendering it in web responses. The affected application processes plist data through the /i/ endpoint without sufficient sanitization, creating an environment where malicious actors can inject arbitrary JavaScript code into web pages viewed by other users.
The technical exploitation of this vulnerability occurs when an attacker crafts malicious input within the ipa.plist data structure that gets processed and displayed without proper HTML escaping or content security policy enforcement. This flaw allows attackers to execute scripts in the context of the victim's browser session, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of users. The vulnerability manifests as a classic reflected XSS issue where user-controllable data flows through the application's request handling and directly into the HTTP response without adequate sanitization.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to establish persistent access to affected systems. When combined with other attack vectors, this XSS flaw could facilitate more sophisticated attacks including man-in-the-middle scenarios, data exfiltration, or privilege escalation within the application's user management system. The vulnerability affects any user who interacts with the affected Alist installation, particularly those who view or process plist files through the vulnerable endpoint, making it a significant concern for organizations relying on this file management solution.
Security mitigations for CVE-2022-26533 should prioritize immediate patching of affected Alist installations to version 2.1.1 or later, which contains the necessary input validation and output encoding fixes. Organizations should implement comprehensive input sanitization at the application level, ensuring all user-supplied data undergoes proper HTML escaping before being rendered in web contexts. Additional defensive measures include deploying content security policies that restrict script execution, implementing proper output encoding for all dynamic content, and conducting regular security assessments of web applications. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting vulnerabilities and corresponds to ATT&CK technique T1566.001 for initial access through malicious web content, highlighting the need for robust web application security controls and regular vulnerability assessments to prevent exploitation of such flaws.