CVE-2026-55417
EUVD-2026-4208507.07.2026, 21:17
Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route (`/username`) correctly returns 404. However, the `/json` AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which should be private). This is patched in Chevereto v4.5.4. No known workarounds are available.Enginsight
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
| Vendor | Product | Version | Source |
|---|---|---|---|
| chevereto | chevereto | 1.0.0 ≤ | CNA |
Common Weakness Enumeration