CVE-2026-25060

  1. Yack CVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25060

8.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

O

penList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.

References
Link Resource
https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1 Patch
https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 Release Notes
https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:oplist:openlist:*:*:*:*:*:*:*:*
History

23 Feb 2026, 17:35

Type Values Removed Values Added
References () https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1 - () https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1 - Patch
References () https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 - () https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 - Release Notes
References () https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389 - () https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389 - Vendor Advisory
CPE cpe:2.3:a:oplist:openlist:*:*:*:*:*:*:*:*
Summary
  • (es) OpenList Frontend es un componente de interfaz de usuario para OpenList. Antes de la versión 4.1.10, la verificación de certificados está deshabilitada por defecto para todas las comunicaciones del controlador de almacenamiento. La configuración TlsInsecureSkipVerify está establecida en true por defecto en la función DefaultConfig() en internal/conf/config.go. Esta vulnerabilidad permite ataques de man-in-the-middle (MitM) al deshabilitar la verificación de certificados TLS, lo que permite a los atacantes interceptar y manipular todas las comunicaciones de almacenamiento. Los atacantes pueden explotar esto a través de ataques a nivel de red como suplantación de ARP, puntos de acceso Wi-Fi no autorizados o equipos de red internos comprometidos para redirigir el tráfico a puntos finales maliciosos. Dado que la validación de certificados se omite, el sistema establecerá conexiones cifradas sin saberlo con servidores controlados por el atacante, lo que permite el descifrado completo, el robo de datos y la manipulación de todas las operaciones de almacenamiento sin activar ninguna advertencia de seguridad. Esta vulnerabilidad se corrige en la versión 4.1.10.
First Time Oplist openlist
Oplist

02 Feb 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-02 23:16

Updated : 2026-02-23 17:35

NVD link : CVE-2026-25060

Mitre link : CVE-2026-25060

CVE.ORG link : CVE-2026-25060

JSON object : View

Products Affected

oplist

CWE
CWE-599

Missing Validation of OpenSSL Certificate