MEDIUM
chevereto
CVE published 2026-07-07
CVE-2026-55417
CVE-2026-55417 is a vulnerability in Chevereto, a self-hosted media-sharing platform. When a user enables the private profile option, their profile HTML route (/username) correctly returns 404. However, the /json AJAX listing endpoint does not apply the same check. An unauthenticated caller who knows the target's user ID can retrieve all of that user's publicly-scoped images, revealing the username (which [truncated]