Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable unauthenticated endpoint (AV:N/PR:N) with low confidentiality impact confined to username and public-scoped images; no integrity or availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route (/username) correctly returns 404. However, the /json AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which should be private). This is patched in Chevereto v4.5.4. No known workarounds are available.
AnalysisAI
Chevereto's /json AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two conditions: (1) the target user must have enabled the private profile option in their Chevereto account settings - users who have not opted into this feature are unaffected, and (2) the attacker must know or successfully enumerate the target's numeric user ID, since the private HTML profile route suppresses the username entirely. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N, score 6.9) indicates a network-accessible, unauthenticated, zero-complexity attack path, but the blast radius is bounded: impact is constrained to low confidentiality on the vulnerable system (VC:L) with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Chevereto instance and iterates through sequential numeric user IDs, confirming that the HTML profile route (`/alice`) returns 404 (indicating a private profile), then directly queries the `/json` endpoint with the known user ID to receive a full JSON response containing the user's publicly-scoped image metadata and their username. The entire operation requires only a standard HTTP client and no authentication or elevated access. … |
| Remediation | Upgrade to Chevereto v4.5.4, which patches the missing authorization check on the `/json` AJAX listing endpoint to match the access control already applied to the HTML profile route, as confirmed by the GitHub Security Advisory GHSA-h4jp-mxfx-g8xp and the vendor announcement at https://chevereto.com/community/threads/chevereto-v4-5-4-announcement.16398/post-80153. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Chevereto before 3.17.1 allows Cross Site Scripting (XSS) via an image title at the image upload stage. Rated medium sev
Directory traversal vulnerability in Upload/engine.php in Chevereto 1.9.1 allows remote attackers to determine the exist
Chevereto Free before 1.0.13 has XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low
Cross-site scripting (XSS) vulnerability in Upload/engine.php in Chevereto 1.91 allows remote attackers to inject arbitr
Stored XSS vulnerabilities in chevereto CMS before version 3.8.11, one in the user profile and one in the Exif data pars
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42085