alist

v3.61.0 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 2d File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

file-server gin go onedrive solidjs webdav

Summary

AI summary

Broad release touches 🐞 Bug Fixes, 🚀 Features, https://github.com/AlistGo/alist/commit/fc26c3d8, and fc26c.

Full changelog

🚀 Features

Add GuangYaPan offline download - by @okatu-loli in https://github.com/AlistGo/alist/issues/9505 (fc26c)
139-share:
- Support mounting and HLS playback - by ** 139云盘分享链接在M3U8中使用相对TS路径，导致代理请求无法正常解析。此外，AList下载器会严格校验文件元数据与实际流的大小一致性，导致动态生成的M3U8因长度不匹配触发416或EOF错误。我们采用了1MB填充技术以兼容AList的严格校验，且1MB足以容纳绝大多数M3U8文件而不影响性能。 Changes: alist/drivers/139/types.go - Added ShareCatalog and ShareContent structs for API response mapping ** [( 支持分享)](https://github.com/AlistGo/alist/commit/ 支持分享链接挂载与播放 Root cause: 139 Cloud share links use relative TS paths in M3U8 playlists which cannot be resolved by proxied clients. Additionally, AList's downloader enforces strict metadata-to-stream size validation, leading to 416 (Range) or EOF errors when serving dynamic M3U8 content. We implemented a 1MB padding technique to ensure compatibility with AList's strict size checks; 1MB is sufficient for almost all M3U8 files without impacting performance. )
api:
- Add virtual_path field on fs/list and fs/get responses - by @okatu-loli (e36c6)
lark:
- Add export tools API - by @okatu-loli in https://github.com/AlistGo/alist/issues/9511 (d509a)
settings:
- Add frontend sort memory switch - by @okatu-loli (cbeb0)
- Add preview_settings for per-extension preview management - by @okatu-loli (1db7a)

🐞 Bug Fixes

V-002 security vulnerability - by @orbisai0security (e35ab)
Support all pagination mode - by @okatu-loli in https://github.com/AlistGo/alist/issues/9512 (0fa86)
CVE-2026-34986 security vulnerability - by @orbisai0security (02c09)
139-share:
- Fix modification time parsing - by 45daac9e [( 修复分享)](https://github.com/AlistGo/alist/commit/ 修复分享模式下的修改时间解析)
guangyapan:
- Allow user input folder path in driver root path - by @abandonstudy (dba5c)
- Expose sorting options - by @okatu-loli (4a23e)
- Resolve offline root folder lookup - by @okatu-loli in https://github.com/AlistGo/alist/issues/9516 (de569)
lanzou:
- Handle acw_sc__v2 anti-crawler challenge on all requests - by @okatu-loli in https://github.com/AlistGo/alist/issues/9548 (d0cec)
mcp:
- Initialize task manager so async fs operations don't panic - by @okatu-loli and Claude Opus 4.7 (69464)
meta:
- Expire missing meta cache - by @okatu-loli in https://github.com/AlistGo/alist/issues/9504 (f4459)
net:
- Synchronize Buf.Close with Write/Read to prevent nil-pointer panic - by @okatu-loli and Claude Opus 4.7 (0e9f8)
storage:
- Clear list cache after storage updates - by @okatu-loli (ffbbe)