Lucene search
+L

6 matches found

RedhatCVE
RedhatCVE
added 2026/06/05 7:44 p.m.12 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

4.3CVSS5.6AI score0.00208EPSS
Exploits1References1
NVD
NVD
added 2026/04/09 5:16 p.m.16 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

4.3CVSS0.00208EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/09 4:14 p.m.29 views

CVE-2026-39957 Lychee has Broken Access Control in SharingController::listAll() leaks private album sharing metadata to unauthorized users

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS0.00208EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/09 4:14 p.m.3 views

CVE-2026-39957

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS6AI score0.00208EPSS
Exploits1References4Affected Software1
CVE
CVE
added 2026/04/09 4:14 p.m.20 views

CVE-2026-39957

Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...

4.3CVSS6AI score0.00208EPSS
Exploits1References3Affected Software1
EUVD
EUVD
added 2026/04/09 4:14 p.m.7 views

EUVD-2026-20954

Lychee is a free, open-source photo-management tool. Prior to 7.5.4, a SQL operator-precedence bug in SharingController::listAll causes the orWhereNotNull'usergroupid' clause to escape the ownership filter applied by the when block. Any authenticated non-admin user with upload permission who owns...

2.3CVSS6AI score0.00208EPSS
Exploits1References3
Rows per page
Query Builder