PT-2026-6278 · Alist · Alist
A7Um
+1
·
Published
2026-02-04
·
Updated
2026-02-06
·
CVE-2026-25160
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Alist versions prior to 3.57.0
Description
Alist, a file list program powered by Gin and Solidjs, has a configuration issue where TLS certificate verification is disabled by default for all outgoing storage driver communications. This allows for potential Man-in-the-Middle (MitM) attacks, enabling decryption, theft, and manipulation of data transmitted during storage operations. This compromises the confidentiality and integrity of user data.
Recommendations
Update to version 3.57.0 or later.
Exploit
Fix
Improper Certificate Validation
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alist