CVE-2026-25160
- Source
- https://cve.org/CVERecord?id=CVE-2026-25160
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25160.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25160
- Aliases
- Published
- 2026-02-04T19:40:01.243Z
- Modified
- 2026-03-01T02:57:10.901895Z
- Severity
-
- 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Alist has Insecure TLS Config
- Details
-
Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-295" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25160.json" }- References
Affected packages
Git / github.com/alistgo/alist
Affected ranges
- Type
- GIT
- Repo
- https://github.com/alistgo/alist
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v2.*
v2.0.0
v2.0.0-beta
v2.0.0-beta2
v2.0.0-beta3
v2.0.0-beta4
v2.0.0-beta5
v2.0.0-beta6
v2.0.0-beta7
v2.0.1
v2.0.10
v2.0.2
v2.0.3
v2.0.4
v2.0.4-fix
v2.0.4-fix2
v2.0.5
v2.0.5-libc
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v3.*
v3.0.0-beta.0
v3.0.0-beta.1
v3.0.0-beta.2
v3.0.0-rc.0
v3.0.0-rc.1
v3.0.1
v3.0.2
v3.0.3
v3.1.0
v3.10.1
v3.11.0
v3.12.0
v3.12.1
v3.12.2
v3.13.1
v3.13.2
v3.14.0
v3.15.0
v3.15.1
v3.16.0
v3.16.1
v3.16.2
v3.16.3
v3.17.0
v3.18.0
v3.19.0
v3.2.0
v3.2.1
v3.20.0
v3.20.1
v3.21.0
v3.22.0
v3.22.1
v3.23.0
v3.24.0
v3.25.1
v3.26.0
v3.27.0
v3.28.0
v3.29.0
v3.29.1
v3.3.0
v3.30.0
v3.31.0
v3.32.0
v3.33.0
v3.34.0
v3.35.0
v3.36.0
v3.37.1
v3.37.2
v3.37.3
v3.37.4
v3.38.0
v3.39.1
v3.39.2
v3.39.3
v3.39.4
v3.4.0
v3.40.0
v3.41.0
v3.42.0
v3.43.0
v3.44.0
v3.45.0
v3.45.1
v3.46.0
v3.46.1
v3.46.2
v3.47.0
v3.47.1
v3.48.0
v3.49.0
v3.5.1
v3.50.0
v3.51.0
v3.52.0
v3.53.0
v3.54.0
v3.55.0
v3.56.0
v3.6.0
v3.7.1
v3.7.2
v3.8.0
v3.9.0
v3.9.1
v3.9.2