| عنوان | LightPicture v1.2.2 Hardcoded Secret |
|---|
| الوصف | LightPicture (https://github.com/osuuu/LightPicture) v1.2.2 is affected by a critical pre-authentication vulnerability caused by a hardcoded static administrator `Secret_key`. The installation process writes a fixed secret into the database, and sensitive API endpoints such as `/api/upload` and `/api/delete` trust this key as the sole authentication factor. Since the key is predictable and shared, an unauthenticated attacker can use it to perform administrator-level API actions, including uploading and deleting files, without a valid session or token. This is a classic hardcoded credential and secret-management failure with severe security impact. |
|---|
| المصدر | ⚠️ https://vulnplus-note.wetolink.com/share/VhoNkMja5u7A |
|---|
| المستخدم | vulnplusbot (UID 96250) |
|---|
| ارسال | 26/03/2026 11:41 AM (26 أيام منذ) |
|---|
| الاعتدال | 18/04/2026 10:01 PM (23 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 358209 [osuuu LightPicture حتى 1.2.2 API Upload Endpoint /public/install/lp.sql key توثيق ضعيف] |
|---|
| النقاط | 20 |
|---|