CVE-2026-6574
Hardcoded Credentials in osuuu LightPicture API Upload Endpoint
Publication date: 2026-04-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| osuuu | lightpicture | to 1.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-259 | The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in osuuu LightPicture up to version 1.2.2, specifically in the API Upload Endpoint related to the file /public/install/lp.sql. The issue involves manipulation of an argument key that leads to the presence of hard-coded credentials. This vulnerability can be exploited remotely.
How can this vulnerability impact me? :
Exploitation of this vulnerability can allow an attacker to gain unauthorized access using hard-coded credentials. Since the attack can be performed remotely, it poses a risk of unauthorized access to the system, potentially leading to data compromise or further exploitation.