CVE-2026-6574

High

Published: 19 April 2026

Published

19 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0005 15.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-6574 is a high-severity Use of Hard-coded Password (CWE-259) vulnerability in Wetolink (inferred from references). Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates protection of authenticator content from unauthorized disclosure and prohibits hard-coded credentials, directly addressing the root cause of exposure in this vulnerability.

SI-10 Information Input Validation good match

prevent

SI-10 requires validation of inputs such as the manipulable 'key' argument in the API upload endpoint, preventing the processing that exposes hard-coded credentials.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of flaws like this hard-coded credential exposure to eliminate the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Vulnerability in public-facing API Upload Endpoint allows remote unauthenticated exploitation to expose hard-coded credentials from lp.sql file (CWE-798), directly mapping to T1190 for exploitation of public app and T1552.001 for unsecured credentials in files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may…

be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Deeper analysisAI

CVE-2026-6574 is a vulnerability in osuuu LightPicture up to version 1.2.2, affecting an unknown processing function for the file /public/install/lp.sql within the API Upload Endpoint. The flaw involves manipulation of the argument "key," resulting in exposure of hard-coded credentials, classified under CWE-259 (Use of Hard-coded Password) and CWE-798 (Use of Hard-coded Credentials).

The vulnerability is remotely exploitable by unauthenticated attackers with low complexity (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, base score 7.3). Successful exploitation allows partial impacts to confidentiality, integrity, and availability, such as unauthorized access via the leaked credentials. The exploit has been publicly disclosed and is available for use.

Advisories from VulDB (including submission details and CTI) and VulnPlus note that the vendor was contacted early regarding disclosure but provided no response. No patches, workarounds, or official mitigations are referenced.

The exploit's public availability increases the risk of active use against unpatched instances of LightPicture up to 1.2.2.