Skip to main content

Rodber Chevereto Free

1 CVEs product

Monthly

CVE-2026-55417 MEDIUM PATCH This Month

Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Authentication Bypass Chevereto Chevereto Chevereto Rodber Chevereto Free
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Chevereto's `/json` AJAX listing endpoint fails to enforce the private profile access control that the HTML profile route correctly applies, exposing user images and usernames to unauthenticated callers. Versions 3.7.5 through 4.5.3 are affected across both the commercial Chevereto product and the Chevereto Free (rodber/chevereto-free) variant. An unauthenticated attacker who knows a target's numeric user ID can bypass the privacy setting to retrieve all publicly-scoped media and recover the username the victim explicitly chose to hide. No public exploit is identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Authentication Bypass Chevereto Chevereto Chevereto +1
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy