{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-6574/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-6574"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-6574","hardcoded-credentials","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eosuuu LightPicture, up to version 1.2.2, is vulnerable to a hardcoded credentials exposure vulnerability (CVE-2026-6574). This flaw resides within the API Upload Endpoint and is triggered when processing the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file. An attacker can manipulate the \u003ccode\u003ekey\u003c/code\u003e argument to exploit this vulnerability. The vendor has been notified about the vulnerability but has not responded. Public exploits are available, increasing the risk of exploitation. This vulnerability allows an attacker to potentially gain unauthorized access and control over the application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an instance of osuuu LightPicture running version 1.2.2 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the API Upload Endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a modified \u003ccode\u003ekey\u003c/code\u003e argument within the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file path.\u003c/li\u003e\n\u003cli\u003eThe application processes the crafted request without proper sanitization.\u003c/li\u003e\n\u003cli\u003eDue to the manipulated \u003ccode\u003ekey\u003c/code\u003e argument, the application exposes hardcoded credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the exposed hardcoded credentials from the server\u0026rsquo;s response.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the acquired credentials to authenticate and gain unauthorized access to the application.\u003c/li\u003e\n\u003cli\u003eWith unauthorized access, the attacker can perform malicious activities such as data theft, modification, or deletion.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6574 can lead to complete compromise of the osuuu LightPicture application and potentially the underlying server. The vulnerability exposes hardcoded credentials, enabling attackers to bypass authentication and gain administrative privileges. The impact includes unauthorized access to sensitive data, modification of application settings, and potential disruption of service. The vulnerability affects all installations of osuuu LightPicture up to version 1.2.2.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious LP.SQL Access\u003c/code\u003e to identify attempts to access the vulnerable file (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003ekey\u003c/code\u003e argument within the API Upload Endpoint to prevent manipulation (reference CVE-2026-6574).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the \u003ccode\u003e/public/install/lp.sql\u003c/code\u003e file with unusual parameters (log source: webserver).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not possible, implement a web application firewall (WAF) rule to block requests containing malicious patterns in the \u003ccode\u003ekey\u003c/code\u003e argument (log source: firewall).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-19T14:16:11Z","date_published":"2026-04-19T14:16:11Z","id":"/briefs/2026-04-lightpicture-hardcoded-creds/","summary":"CVE-2026-6574 allows remote attackers to manipulate the 'key' argument in the /public/install/lp.sql file via the API Upload Endpoint in osuuu LightPicture \u003c= 1.2.2, leading to hardcoded credentials exposure.","title":"osuuu LightPicture Hardcoded Credentials Vulnerability (CVE-2026-6574)","url":"https://feed.craftedsignal.io/briefs/2026-04-lightpicture-hardcoded-creds/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-6574","version":"https://jsonfeed.org/version/1.1"}