atlaszz AI Photo Team Galleryit CVE-2025-14698
LOWSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in atlaszz AI Photo Team Galleryit App 1.3.8.2 on Android. This affects an unknown part of the component gallery.photogallery.pictures.vault.album. This manipulation causes path traversal. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Path traversal vulnerability in atlaszz AI Photo Team Galleryit App version 1.3.8.2 on Android allows authenticated local attackers to manipulate the gallery.photogallery.pictures.vault.album component and access files outside intended directories. The vulnerability requires local access and authenticated user privileges; public exploit code exists. The vendor has not responded to early disclosure notification, leaving the application unpatched.
Technical ContextAI
The vulnerability resides in the gallery.photogallery.pictures.vault.album component of the Galleryit Android application. Path traversal (CWE-22) occurs when user-supplied input to file path operations is not properly sanitized, allowing an attacker to use directory traversal sequences (such as '../' or absolute paths) to access files outside the application's intended directory scope. On Android, this could enable unauthorized access to application private storage, shared storage, or other sensitive directories depending on the application's permission model and how the component constructs file paths.
Affected ProductsAI
atlaszz AI Photo Team Galleryit App version 1.3.8.2 for Android is the confirmed affected release. No CPE data or vendor advisory is available; the vulnerability was reported to VulDB (vuldb.com) by independent security researchers at cna@vuldb.com. Version information for other releases (earlier or later than 1.3.8.2) has not been independently confirmed.
RemediationAI
No vendor-released patch identified at time of analysis. Given the vendor's non-responsiveness to early disclosure, users should uninstall or avoid using atlaszz AI Photo Team Galleryit App version 1.3.8.2. As a compensating control, restrict the application's file system permissions on Android 6.0+ via Settings > Apps > Permissions, explicitly denying storage access if the application does not require gallery functionality for core operations. Android users with the application installed should monitor for a patched version release; if none is forthcoming within 90 days of public disclosure, consider using alternative, actively maintained photo gallery applications. Note that restricting permissions may degrade application functionality.
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Va
An XML external entity (XXE) vulnerability in the Password Vault Web Access (PVWA) of CyberArk Enterprise Password Vault
PhotoRange Photo Vault 1.2 appends the password to the URI for authorization, which makes it easier for remote attackers
The REST API in CyberArk Password Vault Web Access before 9.9.5 and 10.x before 10.1 allows remote attackers to execute
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. Rated cri
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, w
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows re
HashiCorp Vagrant VMware Fusion plugin (aka vagrant-vmware-fusion) before 4.0.24 uses weak permissions for the sudo help
Atlantis is a self-hosted golang application that listens for Terraform pull request events via webhooks. Rated high sev
Coder allows organizations to provision remote development environments via Terraform. Rated high severity (CVSS 8.1), t
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today