CVE-2026-25160

Name of the Vulnerable Software and Affected Versions Alist versions prior to 3.57.0

Description Alist, a file list program powered by Gin and Solidjs, has a configuration issue where TLS certificate verification is disabled by default for all outgoing storage driver communications. This allows for potential Man-in-the-Middle (MitM) attacks, enabling decryption, theft, and manipulation of data transmitted during storage operations. This compromises the confidentiality and integrity of user data.

Recommendations Update to version 3.57.0 or later.