Which versions of Lightpicture are affected by CVE-2026-6574?

osuuu LightPicture versions up to 1.2.2 contain hard-coded credentials that permit unauthenticated attackers to completely bypass authentication and gain full system access through the API upload…

Is there a public PoC exploit available for CVE-2026-6574?

Yes, a public proof-of-concept exploit is available for CVE-2026-6574. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-6574?

Within 24 hours: Identify all instances of osuuu LightPicture versions 1.2.2 and earlier in your environment and isolate affected systems from production networks. Within 7 days: Evaluate migration to a patched alternative product or establish an air-gapped deployment model with strict network access controls. Within 30 days: Complete migration away from affected LightPicture versions or implement compensating controls (network segmentation, API endpoint blocking, and credential rotation on all downstream systems).

Lightpicture CVE-2026-6574

Q: What is the CVSS score of CVE-2026-6574?

CVE-2026-6574 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23705 MEDIUM

Use of Hard-coded Credentials (CWE-798)

2026-04-19 VulDB

GHSA-c39q-8682-64fg

Authentication Bypass Lightpicture

5.5

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.5 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 19, 2026 - 14:22 NVD

HIGH MEDIUM

CVSS changed

Apr 19, 2026 - 14:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 19, 2026 - 13:50 vuln.today

EUVD ID Assigned

Apr 19, 2026 - 13:45 euvd

EUVD-2026-23705

Analysis Generated

Apr 19, 2026 - 13:45 vuln.today

CVE Published

Apr 19, 2026 - 13:30 nvd

MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Hard-coded credentials in osuuu LightPicture versions up to 1.2.2 allow unauthenticated remote attackers to bypass authentication via the /public/install/lp.sql file at the API upload endpoint. The vulnerability enables unauthorized access with confidentiality, integrity, and availability impacts. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify target LightPicture instance

Delivery

Access /public/install/lp.sql via HTTP

Exploit

Extract hard-coded credentials from SQL file

Execution

Authenticate to API upload endpoint using static credentials

Impact

Execute unauthorized operations (upload/modify/exfiltrate)