CVE-2026-25060

Feb. 3, 2026, 4:44 p.m.

8.1
High

Description

OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10.

Product(s) Impacted

Vendor Product Versions
Openlist
  • Openlist Frontend
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-599
Missing Validation of OpenSSL Certificate
The product uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary security requirements.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a openlist openlist_frontend / / / / / / / /

References

https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1
https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10
https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389

Tags

[email protected]
CWE-599
2026-02-02
CVE-2026-25060

CVSS Score

8.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

    View Vector String

Timeline

Published: Feb. 2, 2026, 11:16 p.m.
Last Modified: Feb. 3, 2026, 4:44 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.