Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

182 matches found

RedhatCVE
RedhatCVEadded 3 days ago6 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

4.3CVSS5.6AI score0.00026EPSS
Exploits1References1
RedhatCVE
RedhatCVEadded 3 days ago3 views

CVE-2026-40096

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a tag in api.service.ts. A registered attacker can create a shared albu...

5.4CVSS5.2AI score0.00032EPSS
Exploits1References1
Vulnrichment
Vulnrichmentadded 2026/05/20 7:41 a.m.5 views

CVE-2026-9059 NextGEN Gallery - SQL Injection

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function 'cleancolumn' in the data mapper layer that uses a...

9.3CVSS6AI score0.00036EPSS
Exploits0References1
EUVD
EUVDadded 2026/05/20 7:41 a.m.9 views

EUVD-2026-31073

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function 'cleancolumn' in the data mapper layer that uses a...

9.3CVSS6AI score0.00036EPSS
Exploits0References1
CVE
CVEadded 2026/05/20 7:41 a.m.11 views

CVE-2026-9059

NextGEN Gallery (WordPress) versions prior to 4.2.1 are vulnerable to an authenticated SQL injection. The issue is in the data mapper layer where _clean_column() uses a blacklist instead of a whitelist, allowing an authenticated attacker with the Administrator role (NextGEN Gallery overview capab...

9.3CVSS6AI score0.00036EPSS
Exploits0References1
Positive Technologies
Positive Technologiesadded 2026/05/20 12:0 a.m.7 views

PT-2026-42122

NextGEN Gallery version prior to 4.2.1 are vulnerable to authenticated SQL injection via the 'orderby' parameter on the REST API endpoints '/imagely/v1/galleries' and '/imagely/v1/albums'. The root cause is an insufficient sanitization function ' clean column' in the data mapper layer that uses a...

9.3CVSS6AI score0.00036EPSS
Exploits0References2
CNNVD
CNNVDadded 2026/04/15 12:0 a.m.4 views

immich 安全漏洞

Immich is a high-performance, open-source managed solution for photo and video management. Versions of Immich prior to 2.7.3 contained security vulnerabilities. These vulnerabilities stemmed from an open redirection issue in the shared album feature, which could lead to phishing attacks...

5.4CVSS5.8AI score0.00032EPSS
Exploits1References1
EUVD
EUVDadded 2026/04/14 11:54 p.m.3 views

EUVD-2026-22816

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a tag in api.service.ts. A registered attacker can create a shared albu...

5.1CVSS5.6AI score0.00032EPSS
Exploits1References2
Positive Technologies
Positive Technologiesadded 2026/04/14 12:0 a.m.2 views

PT-2026-33001

immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a tag in api.service.ts. A registered attacker can create a shared albu...

5.1CVSS5.6AI score0.00032EPSS
Exploits1References3
NVD
NVDadded 2026/04/09 5:16 p.m.1 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

4.3CVSS0.00026EPSS
Exploits1References3
Cvelist
Cvelistadded 2026/04/09 4:14 p.m.16 views

CVE-2026-39957 Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS0.00026EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/04/09 4:14 p.m.2 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS6AI score0.00026EPSS
Exploits1References4Affected Software1
CVE
CVEadded 2026/04/09 4:14 p.m.7 views

CVE-2026-39957

Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...

4.3CVSS6AI score0.00026EPSS
Exploits1References3Affected Software1
EUVD
EUVDadded 2026/04/09 4:14 p.m.1 views

EUVD-2026-20954

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS6AI score0.00026EPSS
Exploits1References3
Positive Technologies
Positive Technologiesadded 2026/04/09 12:0 a.m.1 views

PT-2026-31650

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'user group id' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who ow...

2.3CVSS6AI score0.00026EPSS
Exploits1References4
Cvelist
Cvelistadded 2026/04/03 3:51 p.m.13 views

CVE-2026-25118 immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within t...

6.3CVSS0.00056EPSS
Exploits1References4
Vulnrichment
Vulnrichmentadded 2026/04/03 3:51 p.m.6 views

CVE-2026-25118 immich-server: Insecure Transmission of Authentication Credentials via Password Parameter in HTTP Request Query String When Accessing Shared Albums

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within t...

6.3CVSS5.8AI score0.00056EPSS
Exploits1References4
CVE
CVEadded 2026/04/03 3:51 p.m.6 views

CVE-2026-25118

CVE-2026-25118 affects Immich server prior to version 2.6.0, where the authentication process transmits the album password in the URL query string of a GET request to /api/shared-links/me. This causes credential disclosure through browser history, proxy/server logs, and referrer headers, potentia...

7.5CVSS5.8AI score0.00056EPSS
Exploits1References4Affected Software1
RedhatCVE
RedhatCVEadded 2026/01/13 10:53 p.m.2 views

CVE-2026-22784

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected...

4.3CVSS7AI score0.00061EPSS
Exploits1References1
NVD
NVDadded 2026/01/12 7:16 p.m.2 views

CVE-2026-22784

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected...

4.3CVSS0.00061EPSS
Exploits1References2
Rows per page
Query Builder