atlaszz AI Photo Team Galleryit CVE-2025-14698
LOWCVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionNVD
A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal vulnerability in atlaszz AI Photo Team Galleryit App version 1.3.8.2 on Android allows authenticated local attackers to manipulate the gallery.photogallery.pictures.vault.album component and access files outside intended directories. The vulnerability requires local access and authenticated user privileges; public exploit code exists. The vendor has not responded to early disclosure notification, leaving the application unpatched.
Technical ContextAI
The vulnerability resides in the gallery.photogallery.pictures.vault.album component of the Galleryit Android application. Path traversal (CWE-22) occurs when user-supplied input to file path operations is not properly sanitized, allowing an attacker to use directory traversal sequences (such as '../' or absolute paths) to access files outside the application's intended directory scope. On Android, this could enable unauthorized access to application private storage, shared storage, or other sensitive directories depending on the application's permission model and how the component constructs file paths.
Affected ProductsAI
atlaszz AI Photo Team Galleryit App version 1.3.8.2 for Android is the confirmed affected release. No CPE data or vendor advisory is available; the vulnerability was reported to VulDB (vuldb.com) by independent security researchers at cna@vuldb.com. Version information for other releases (earlier or later than 1.3.8.2) has not been independently confirmed.
RemediationAI
No vendor-released patch identified at time of analysis. Given the vendor's non-responsiveness to early disclosure, users should uninstall or avoid using atlaszz AI Photo Team Galleryit App version 1.3.8.2. As a compensating control, restrict the application's file system permissions on Android 6.0+ via Settings > Apps > Permissions, explicitly denying storage access if the application does not require gallery functionality for core operations. Android users with the application installed should monitor for a patched version release; if none is forthcoming within 90 days of public disclosure, consider using alternative, actively maintained photo gallery applications. Note that restricting permissions may degrade application functionality.
More from same product – last 7 days
SQL injection in Pimcore's CustomReportsBundle (versions ≤ 12.3.5) lets an authenticated user holding the reports_config
Stored Cross-Site Scripting in the Google+ Link Name WordPress plugin (versions up to and including 1.0) allows authenti
Authentication bypass in SpSoft AppLock 7.9.40 for Android allows a local attacker with physical device access to circum
Authorization bypass in the Geo Mashup WordPress plugin (all versions ≤ 1.13.19) exposes sensitive plugin configuration
Arbitrary JavaScript execution in SailingLab AppLock 4.3.8 for Android is triggered by a malicious co-installed app send
Share
External POC / Exploit Code
Leaving vuln.today