CVE-2026-6574
HIGHosuuu LightPicture API Upload Endpoint lp.sql hard-coded credentials
Title source: cnaDescription
A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Scores
CVSS v3
7.3
EPSS
0.0004
EPSS Percentile
11.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Details
CWE
CWE-259
CWE-798
Status
published
Products (3)
osuuu/LightPicture
1.2.0
osuuu/LightPicture
1.2.1
osuuu/LightPicture
1.2.2
Published
Apr 19, 2026
Tracked Since
Apr 19, 2026