alist <=3.16.3 is vulnerable to Incorrect Access Control. Low privilege accounts can upload any file.
CVSS Metrics
