CVE-2026-6574: Hardcoded Credentials in osuuu LightPicture API

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-259cwe-798
CVE-2026-6574: Hardcoded Credentials in osuuu LightPicture API

The National Vulnerability Database (NVD) has detailed CVE-2026-6574, a high-severity vulnerability (CVSS 7.3) in osuuu LightPicture versions up to 1.2.2. This flaw stems from hardcoded credentials within the /public/install/lp.sql file, specifically impacting the API Upload Endpoint component.

Attackers can remotely exploit this by manipulating the key argument, granting them unauthorized access. The exploit is publicly disclosed, significantly increasing the risk of widespread attacks. NVD notes that the vendor was unresponsive to early disclosure attempts, leaving users without an official patch or guidance.

This is a classic case of poor security hygiene leading to immediate exposure. Hardcoded credentials are a gift to attackers, especially when an exploit is public. Defenders need to assume this vulnerability is actively being scanned for and exploited.

What This Means For You

  • If your organization uses osuuu LightPicture, assume compromise. Immediately identify all instances, revoke any API keys or credentials associated with the affected component, and audit logs for unauthorized access to the `/public/install/lp.sql` endpoint or related upload functions. Patching is critical, but without vendor support, mitigation requires isolating these systems or discontinuing their use until a fix emerges.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-6574: Hardcoded Credentials in osuuu LightPicture API

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6574 Information Disclosure osuuu LightPicture up to 1.2.2
CVE-2026-6574 Information Disclosure Hard-coded credentials in /public/install/lp.sql
CVE-2026-6574 Information Disclosure Vulnerable component: API Upload Endpoint
CVE-2026-6574 Information Disclosure Manipulation of argument 'key' in API Upload Endpoint

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 19, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-6573 — PHPEMS Server-Side Request Forgery

CVE-2026-6573 — A vulnerability was detected in PHPEMS 11.0. This affects the function temppage of the file /app/exam/controller/exams.master.php of the component Instant Exam Creation Handler....

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-6572 — Collabora KodExplorer Vulnerability

CVE-2026-6572 — A security vulnerability has been detected in Collabora KodExplorer up to 4.52. Affected by this issue is some unknown functionality of the file...

vulnerabilityCVEmedium-severitycwe-266cwe-285
/SCW Vulnerability Desk /MEDIUM /5.6 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-6571 — A weakness has been identified in kodcloud KodExplorer up

CVE-2026-6571 — A weakness has been identified in kodcloud KodExplorer up to 4.52. Affected by this vulnerability is the function roleGroupAction of the file /app/controller/systemRole.class.php....

vulnerabilityCVEmedium-severitycwe-285cwe-639
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma