CVE-2026-25060

{"id": "CVE-2026-25060", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-02-02T23:16:08.913", "references": [{"url": "https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-599"}]}], "descriptions": [{"lang": "en", "value": "OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10."}, {"lang": "es", "value": "OpenList Frontend es un componente de interfaz de usuario para OpenList. Antes de la versi\u00f3n 4.1.10, la verificaci\u00f3n de certificados est\u00e1 deshabilitada por defecto para todas las comunicaciones del controlador de almacenamiento. La configuraci\u00f3n TlsInsecureSkipVerify est\u00e1 establecida en true por defecto en la funci\u00f3n DefaultConfig() en internal/conf/config.go. Esta vulnerabilidad permite ataques de man-in-the-middle (MitM) al deshabilitar la verificaci\u00f3n de certificados TLS, lo que permite a los atacantes interceptar y manipular todas las comunicaciones de almacenamiento. Los atacantes pueden explotar esto a trav\u00e9s de ataques a nivel de red como suplantaci\u00f3n de ARP, puntos de acceso Wi-Fi no autorizados o equipos de red internos comprometidos para redirigir el tr\u00e1fico a puntos finales maliciosos. Dado que la validaci\u00f3n de certificados se omite, el sistema establecer\u00e1 conexiones cifradas sin saberlo con servidores controlados por el atacante, lo que permite el descifrado completo, el robo de datos y la manipulaci\u00f3n de todas las operaciones de almacenamiento sin activar ninguna advertencia de seguridad. Esta vulnerabilidad se corrige en la versi\u00f3n 4.1.10."}], "lastModified": "2026-02-23T17:35:00.207", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oplist:openlist:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A540671-DE84-45FD-A087-21A565765CF4", "versionEndExcluding": "4.1.10"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}