{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6574", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-04-18T20:01:42.583Z", "datePublished": "2026-04-19T13:30:17.265Z", "dateUpdated": "2026-04-19T13:30:17.265Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-04-19T13:30:17.265Z"}, "title": "osuuu LightPicture API Upload Endpoint lp.sql hard-coded credentials", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-798", "lang": "en", "description": "Hard-coded Credentials"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-259", "lang": "en", "description": "Use of Hard-coded Password"}]}], "affected": [{"vendor": "osuuu", "product": "LightPicture", "versions": [{"version": "1.2.0", "status": "affected"}, {"version": "1.2.1", "status": "affected"}, {"version": "1.2.2", "status": "affected"}], "cpes": ["cpe:2.3:a:osuuu:lightpicture:*:*:*:*:*:*:*:*"], "modules": ["API Upload Endpoint"]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-04-18T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-04-18T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-04-18T22:06:53.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "vulnplusbot (VulDB User)", "type": "reporter"}, {"lang": "en", "value": "VulDB CNA Team", "type": "coordinator"}], "references": [{"url": "https://vuldb.com/vuln/358209", "name": "VDB-358209 | osuuu LightPicture API Upload Endpoint lp.sql hard-coded credentials", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/358209/cti", "name": "VDB-358209 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/790000", "name": "Submit #790000 | LightPicture v1.2.2 Hardcoded Secret", "tags": ["third-party-advisory"]}, {"url": "https://vulnplus-note.wetolink.com/share/VhoNkMja5u7A", "tags": ["broken-link", "exploit"]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "id": "CVE-2026-6574", "lastModified": "2026-04-19T14:16:11.593", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-04-19T14:16:11.593", "references": [{"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/790000"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358209"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/358209/cti"}, {"source": "cna@vuldb.com", "url": "https://vulnplus-note.wetolink.com/share/VhoNkMja5u7A"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-259"}, {"lang": "en", "value": "CWE-798"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.1"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.2.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LightPicture", "source": "cna", "vendor": "osuuu"}, "product": "lightpicture", "vendor": "osuuu"}], "analysis": {"en": {"generated_at": "2026-04-19T14:35:37.611324+00:00", "value": {"mitigation_remediation": ["Verify if a newer, patched version of LightPicture is available and apply it immediately.", "If no patch exists, limit or block external access to the upload API endpoint to prevent remote exploitation.", "Modify the /public/install/lp.sql file to remove hard\u2011coded credentials and replace them with securely generated, unique passwords; enforce password rotation and proper authentication mechanisms."], "summary": {"action": "Assess Impact", "impact": "Hard\u2011coded credentials enable unauthorized remote access"}, "threat_synthesis": {"affected_systems": "The vulnerability affects osuuu LightPicture versions up to and including 1.2.2. The impacted component is the upload functionality accessible externally via the API. No other vendor or product variants are listed as vulnerable.", "description_and_impact": "The flaw originates from the LightPicture API Upload Endpoint where manipulation of an argument key causes the application to load hard\u2011coded credentials from the /public/install/lp.sql file. This enables an attacker to obtain valid authentication tokens or administrator credentials from a remote connection, creating a path to compromise the system. The weakness is categorized as CWE\u2011259 (Use of Hard\u2011coded Password) and CWE\u2011798 (Use of Hard\u2011coded Credentials).", "risk_and_exploitability": "The CVSS score of 6.9 indicates a moderate severity. EPSS data is unavailable, but the vulnerability has been publicly disclosed and can be exploited remotely without special privileges, implying a realistic chance of exploitation. The vulnerability is not present in the CISA KEV catalog, yet the lack of vendor response increases potential risk. Attackers can craft requests to the upload endpoint to trigger the execution of the hard\u2011coded credential logic, gaining unauthorized access to the application."}}}}, "created": "2026-04-19T14:45:27.018159+00:00", "updated": "2026-04-19T15:00:08.854950+00:00", "vendors": ["osuuu", "osuuu$PRODUCT$lightpicture"]}