EXECUTIVE SUMMARY:
Vulnerabilities in the open-source file-list application Alist. These issues affect all Alist versions prior to 3.57.0 and expose users to risks involving unauthorized file access and insecure network communications. One vulnerability is a high-severity path traversal flaw that allows authenticated users to bypass directory isolation and perform unauthorized file operations across user boundaries within the same storage mount. The other is a critical vulnerability caused by disabled TLS certificate verification by default, which exposes storage communications to Man-in-the-Middle attacks and potential data compromise.
CVE-2026-25161: affects Alist versions earlier than 3.57.0 and carries a CVSS v3.1 base score of 8.8 (High). The vulnerability is due to a path traversal issue in multiple file operation handlers where insufficient validation of user-supplied filenames allows traversal sequences to be injected. An authenticated attacker can exploit this to bypass directory-level authorization controls and rename, move, copy, or delete files belonging to other users within the same storage mount. The attack requires valid credentials but no additional user interaction.
CVE-2026-25160: also impacts Alist versions earlier than 3.57.0 and has a CVSS v3.1 base score of 9.1 (Critical). This issue occurs because TLS certificate verification is disabled by default for outgoing storage driver communications. As a result, attackers with network-level access can perform Man-in-the-Middle attacks to intercept, decrypt, or modify data in transit. This weakness directly compromises the confidentiality and integrity of stored data without requiring authenticated access.
RECOMMENDATION:
We strongly recommend you update Alist to version 3.57.0.
REFERENCES:
The following reports contain further technical details: