2 changes (1 new | 1 updated):

cvelistV5 Github Action · cvelistV5 Github Action · commit 11a156a290eb · 2026-04-19T13:40:36.000Z
- 1 new CVEs: CVE-2026-6574 - 1 updated CVEs: CVE-2025-0974
diff --git a/cves/2025/0xxx/CVE-2025-0974.json b/cves/2025/0xxx/CVE-2025-0974.json
@@ -1,21 +1,21 @@
 {
     "dataType": "CVE_RECORD",
-    "dataVersion": "5.1",
+    "dataVersion": "5.2",
     "cveMetadata": {
         "cveId": "CVE-2025-0974",
         "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
         "state": "PUBLISHED",
         "assignerShortName": "VulDB",
         "dateReserved": "2025-02-02T09:03:03.907Z",
         "datePublished": "2025-02-03T01:00:13.487Z",
-        "dateUpdated": "2025-02-12T20:41:37.430Z"
+        "dateUpdated": "2026-04-19T13:24:22.430Z"
     },
     "containers": {
         "cna": {
             "providerMetadata": {
                 "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
                 "shortName": "VulDB",
-                "dateUpdated": "2025-02-03T01:00:13.487Z"
+                "dateUpdated": "2026-04-19T13:24:22.430Z"
             },
             "title": "MaxD Lightning Module deserialization",
             "problemTypes": [
@@ -48,50 +48,54 @@
                         {
                             "version": "4.43",
                             "status": "affected"
+                        },
+                        {
+                            "version": "4.44",
+                            "status": "affected"
+                        },
+                        {
+                            "version": "4.45",
+                            "status": "unaffected"
                         }
                     ]
                 }
             ],
             "descriptions": [
                 {
                     "lang": "en",
-                    "value": "A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. This issue affects some unknown processing. The manipulation of the argument li_op/md leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used."
-                },
-                {
-                    "lang": "de",
-                    "value": "Eine Schwachstelle wurde in MaxD Lightning Module 4.43 für OpenCart entdeckt. Sie wurde als kritisch eingestuft. Davon betroffen ist unbekannter Code. Mittels dem Manipulieren des Arguments li_op/md mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung."
+                    "value": "A vulnerability was determined in MaxD Lightning Module 4.43/4.44 on OpenCart. This issue affects some unknown processing. Executing a manipulation of the argument li_op/md can lead to deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.45 is capable of addressing this issue. Upgrading the affected component is advised."
                 }
             ],
             "metrics": [
                 {
                     "cvssV4_0": {
                         "version": "4.0",
                         "baseScore": 2.3,
-                        "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
+                        "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                         "baseSeverity": "LOW"
                     }
                 },
                 {
                     "cvssV3_1": {
                         "version": "3.1",
                         "baseScore": 5,
-                        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
+                        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                         "baseSeverity": "MEDIUM"
                     }
                 },
                 {
                     "cvssV3_0": {
                         "version": "3.0",
                         "baseScore": 5,
-                        "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
+                        "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                         "baseSeverity": "MEDIUM"
                     }
                 },
                 {
                     "cvssV2_0": {
                         "version": "2.0",
                         "baseScore": 4.6,
-                        "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P"
+                        "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"
                     }
                 }
             ],
@@ -107,7 +111,7 @@
                     "value": "VulDB entry created"
                 },
                 {
-                    "time": "2025-02-02T10:09:12.000Z",
+                    "time": "2026-04-19T15:28:28.000Z",
                     "lang": "en",
                     "value": "VulDB entry last update"
                 }
@@ -121,23 +125,23 @@
             ],
             "references": [
                 {
-                    "url": "https://vuldb.com/?id.294365",
+                    "url": "https://vuldb.com/vuln/294365",
                     "name": "VDB-294365 | MaxD Lightning Module deserialization",
                     "tags": [
                         "vdb-entry",
                         "technical-description"
                     ]
                 },
                 {
-                    "url": "https://vuldb.com/?ctiid.294365",
+                    "url": "https://vuldb.com/vuln/294365/cti",
                     "name": "VDB-294365 | CTI Indicators (IOB, IOC, IOA)",
                     "tags": [
                         "signature",
                         "permissions-required"
                     ]
                 },
                 {
-                    "url": "https://vuldb.com/?submit.489672",
+                    "url": "https://vuldb.com/submit/489672",
                     "name": "Submit #489672 | devs.mx OpenCart Lightning 4.43 Deserialization of Untrusted Data",
                     "tags": [
                         "third-party-advisory"
@@ -148,6 +152,12 @@
                     "tags": [
                         "exploit"
                     ]
+                },
+                {
+                    "url": "https://lightning.devs.mx/download",
+                    "tags": [
+                        "patch"
+                    ]
                 }
             ]
         },
diff --git a/cves/2026/6xxx/CVE-2026-6574.json b/cves/2026/6xxx/CVE-2026-6574.json
@@ -0,0 +1,171 @@
+{
+    "dataType": "CVE_RECORD",
+    "dataVersion": "5.2",
+    "cveMetadata": {
+        "cveId": "CVE-2026-6574",
+        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
+        "state": "PUBLISHED",
+        "assignerShortName": "VulDB",
+        "dateReserved": "2026-04-18T20:01:42.583Z",
+        "datePublished": "2026-04-19T13:30:17.265Z",
+        "dateUpdated": "2026-04-19T13:30:17.265Z"
+    },
+    "containers": {
+        "cna": {
+            "providerMetadata": {
+                "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
+                "shortName": "VulDB",
+                "dateUpdated": "2026-04-19T13:30:17.265Z"
+            },
+            "title": "osuuu LightPicture API Upload Endpoint lp.sql hard-coded credentials",
+            "problemTypes": [
+                {
+                    "descriptions": [
+                        {
+                            "type": "CWE",
+                            "cweId": "CWE-798",
+                            "lang": "en",
+                            "description": "Hard-coded Credentials"
+                        }
+                    ]
+                },
+                {
+                    "descriptions": [
+                        {
+                            "type": "CWE",
+                            "cweId": "CWE-259",
+                            "lang": "en",
+                            "description": "Use of Hard-coded Password"
+                        }
+                    ]
+                }
+            ],
+            "affected": [
+                {
+                    "vendor": "osuuu",
+                    "product": "LightPicture",
+                    "versions": [
+                        {
+                            "version": "1.2.0",
+                            "status": "affected"
+                        },
+                        {
+                            "version": "1.2.1",
+                            "status": "affected"
+                        },
+                        {
+                            "version": "1.2.2",
+                            "status": "affected"
+                        }
+                    ],
+                    "cpes": [
+                        "cpe:2.3:a:osuuu:lightpicture:*:*:*:*:*:*:*:*"
+                    ],
+                    "modules": [
+                        "API Upload Endpoint"
+                    ]
+                }
+            ],
+            "descriptions": [
+                {
+                    "lang": "en",
+                    "value": "A vulnerability has been found in osuuu LightPicture up to 1.2.2. This issue affects some unknown processing of the file /public/install/lp.sql of the component API Upload Endpoint. Such manipulation of the argument key leads to hard-coded credentials. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
+                }
+            ],
+            "metrics": [
+                {
+                    "cvssV4_0": {
+                        "version": "4.0",
+                        "baseScore": 6.9,
+                        "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
+                        "baseSeverity": "MEDIUM"
+                    }
+                },
+                {
+                    "cvssV3_1": {
+                        "version": "3.1",
+                        "baseScore": 7.3,
+                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
+                        "baseSeverity": "HIGH"
+                    }
+                },
+                {
+                    "cvssV3_0": {
+                        "version": "3.0",
+                        "baseScore": 7.3,
+                        "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
+                        "baseSeverity": "HIGH"
+                    }
+                },
+                {
+                    "cvssV2_0": {
+                        "version": "2.0",
+                        "baseScore": 7.5,
+                        "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"
+                    }
+                }
+            ],
+            "timeline": [
+                {
+                    "time": "2026-04-18T00:00:00.000Z",
+                    "lang": "en",
+                    "value": "Advisory disclosed"
+                },
+                {
+                    "time": "2026-04-18T02:00:00.000Z",
+                    "lang": "en",
+                    "value": "VulDB entry created"
+                },
+                {
+                    "time": "2026-04-18T22:06:53.000Z",
+                    "lang": "en",
+                    "value": "VulDB entry last update"
+                }
+            ],
+            "credits": [
+                {
+                    "lang": "en",
+                    "value": "vulnplusbot (VulDB User)",
+                    "type": "reporter"
+                },
+                {
+                    "lang": "en",
+                    "value": "VulDB CNA Team",
+                    "type": "coordinator"
+                }
+            ],
+            "references": [
+                {
+                    "url": "https://vuldb.com/vuln/358209",
+                    "name": "VDB-358209 | osuuu LightPicture API Upload Endpoint lp.sql hard-coded credentials",
+                    "tags": [
+                        "vdb-entry",
+                        "technical-description"
+                    ]
+                },
+                {
+                    "url": "https://vuldb.com/vuln/358209/cti",
+                    "name": "VDB-358209 | CTI Indicators (IOB, IOC, TTP, IOA)",
+                    "tags": [
+                        "signature",
+                        "permissions-required"
+                    ]
+                },
+                {
+                    "url": "https://vuldb.com/submit/790000",
+                    "name": "Submit #790000 | LightPicture v1.2.2 Hardcoded Secret",
+                    "tags": [
+                        "third-party-advisory"
+                    ]
+                },
+                {
+                    "url": "https://vulnplus-note.wetolink.com/share/VhoNkMja5u7A",
+                    "tags": [
+                        "broken-link",
+                        "exploit"
+                    ]
+                }
+            ]
+        }
+    }
+}
diff --git a/cves/delta.json b/cves/delta.json
@@ -1,14 +1,21 @@
 {
-  "fetchTime": "2026-04-19T13:12:18.173Z",
-  "numberOfChanges": 1,
+  "fetchTime": "2026-04-19T13:39:36.120Z",
+  "numberOfChanges": 2,
   "new": [
     {
-      "cveId": "CVE-2026-6573",
-      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2026-6573",
-      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/6xxx/CVE-2026-6573.json",
-      "dateUpdated": "2026-04-19T12:45:14.558Z"
+      "cveId": "CVE-2026-6574",
+      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2026-6574",
+      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/6xxx/CVE-2026-6574.json",
+      "dateUpdated": "2026-04-19T13:30:17.265Z"
+    }
+  ],
+  "updated": [
+    {
+      "cveId": "CVE-2025-0974",
+      "cveOrgLink": "https://www.cve.org/CVERecord?id=CVE-2025-0974",
+      "githubLink": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2025/0xxx/CVE-2025-0974.json",
+      "dateUpdated": "2026-04-19T13:24:22.430Z"
     }
   ],
-  "updated": [],
   "error": []
 }
diff --git a/cves/deltaLog.json b/cves/deltaLog.json

Original file line number	Diff line number	Diff line change
`@@ -1,21 +1,21 @@`
`1`	`1`	`{`
`2`	`2`	`"dataType": "CVE_RECORD",`
`3`		`- "dataVersion": "5.1",`
	`3`	`+ "dataVersion": "5.2",`
`4`	`4`	`"cveMetadata": {`
`5`	`5`	`"cveId": "CVE-2025-0974",`
`6`	`6`	`"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",`
`7`	`7`	`"state": "PUBLISHED",`
`8`	`8`	`"assignerShortName": "VulDB",`
`9`	`9`	`"dateReserved": "2025-02-02T09:03:03.907Z",`
`10`	`10`	`"datePublished": "2025-02-03T01:00:13.487Z",`
`11`		`- "dateUpdated": "2025-02-12T20:41:37.430Z"`
	`11`	`+ "dateUpdated": "2026-04-19T13:24:22.430Z"`
`12`	`12`	`},`
`13`	`13`	`"containers": {`
`14`	`14`	`"cna": {`
`15`	`15`	`"providerMetadata": {`
`16`	`16`	`"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",`
`17`	`17`	`"shortName": "VulDB",`
`18`		`- "dateUpdated": "2025-02-03T01:00:13.487Z"`
	`18`	`+ "dateUpdated": "2026-04-19T13:24:22.430Z"`
`19`	`19`	`},`
`20`	`20`	`"title": "MaxD Lightning Module deserialization",`
`21`	`21`	`"problemTypes": [`
`@@ -48,50 +48,54 @@`
`48`	`48`	`{`
`49`	`49`	`"version": "4.43",`
`50`	`50`	`"status": "affected"`
	`51`	`+ },`
	`52`	`+ {`
	`53`	`+ "version": "4.44",`
	`54`	`+ "status": "affected"`
	`55`	`+ },`
	`56`	`+ {`
	`57`	`+ "version": "4.45",`
	`58`	`+ "status": "unaffected"`
`51`	`59`	`}`
`52`	`60`	`]`
`53`	`61`	`}`
`54`	`62`	`],`
`55`	`63`	`"descriptions": [`
`56`	`64`	`{`
`57`	`65`	`"lang": "en",`
`58`		`- "value": "A vulnerability, which was classified as critical, has been found in MaxD Lightning Module 4.43 on OpenCart. This issue affects some unknown processing. The manipulation of the argument li_op/md leads to deserialization. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used."`
`59`		`- },`
`60`		`- {`
`61`		`- "lang": "de",`
`62`		`- "value": "Eine Schwachstelle wurde in MaxD Lightning Module 4.43 für OpenCart entdeckt. Sie wurde als kritisch eingestuft. Davon betroffen ist unbekannter Code. Mittels dem Manipulieren des Arguments li_op/md mit unbekannten Daten kann eine deserialization-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Die Komplexität eines Angriffs ist eher hoch. Die Ausnutzbarkeit gilt als schwierig. Der Exploit steht zur öffentlichen Verfügung."`
	`66`	+ "value": "A vulnerability was determined in MaxD Lightning Module 4.43/4.44 on OpenCart. This issue affects some unknown processing. Executing a manipulation of the argument li_op/md can lead to deserialization. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is assessed as difficult. The exploit has been publicly disclosed and may be utilized. Upgrading to version 4.45 is capable of addressing this issue. Upgrading the affected component is advised."
`63`	`67`	`}`
`64`	`68`	`],`
`65`	`69`	`"metrics": [`
`66`	`70`	`{`
`67`	`71`	`"cvssV4_0": {`
`68`	`72`	`"version": "4.0",`
`69`	`73`	`"baseScore": 2.3,`
`70`		`- "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",`
	`74`	`+ "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",`
`71`	`75`	`"baseSeverity": "LOW"`
`72`	`76`	`}`
`73`	`77`	`},`
`74`	`78`	`{`
`75`	`79`	`"cvssV3_1": {`
`76`	`80`	`"version": "3.1",`
`77`	`81`	`"baseScore": 5,`
`78`		`- "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",`
	`82`	`+ "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",`
`79`	`83`	`"baseSeverity": "MEDIUM"`
`80`	`84`	`}`
`81`	`85`	`},`
`82`	`86`	`{`
`83`	`87`	`"cvssV3_0": {`
`84`	`88`	`"version": "3.0",`
`85`	`89`	`"baseScore": 5,`
`86`		`- "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",`
	`90`	`+ "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",`
`87`	`91`	`"baseSeverity": "MEDIUM"`
`88`	`92`	`}`
`89`	`93`	`},`
`90`	`94`	`{`
`91`	`95`	`"cvssV2_0": {`
`92`	`96`	`"version": "2.0",`
`93`	`97`	`"baseScore": 4.6,`
`94`		`- "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P"`
	`98`	`+ "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C"`
`95`	`99`	`}`
`96`	`100`	`}`
`97`	`101`	`],`
`@@ -107,7 +111,7 @@`
`107`	`111`	`"value": "VulDB entry created"`
`108`	`112`	`},`
`109`	`113`	`{`
`110`		`- "time": "2025-02-02T10:09:12.000Z",`
	`114`	`+ "time": "2026-04-19T15:28:28.000Z",`
`111`	`115`	`"lang": "en",`
`112`	`116`	`"value": "VulDB entry last update"`
`113`	`117`	`}`
`@@ -121,23 +125,23 @@`
`121`	`125`	`],`
`122`	`126`	`"references": [`
`123`	`127`	`{`
`124`		`- "url": "https://vuldb.com/?id.294365",`
	`128`	`+ "url": "https://vuldb.com/vuln/294365",`
`125`	`129`	`"name": "VDB-294365 \| MaxD Lightning Module deserialization",`
`126`	`130`	`"tags": [`
`127`	`131`	`"vdb-entry",`
`128`	`132`	`"technical-description"`
`129`	`133`	`]`
`130`	`134`	`},`
`131`	`135`	`{`
`132`		`- "url": "https://vuldb.com/?ctiid.294365",`
	`136`	`+ "url": "https://vuldb.com/vuln/294365/cti",`
`133`	`137`	`"name": "VDB-294365 \| CTI Indicators (IOB, IOC, IOA)",`
`134`	`138`	`"tags": [`
`135`	`139`	`"signature",`
`136`	`140`	`"permissions-required"`
`137`	`141`	`]`
`138`	`142`	`},`
`139`	`143`	`{`
`140`		`- "url": "https://vuldb.com/?submit.489672",`
	`144`	`+ "url": "https://vuldb.com/submit/489672",`
`141`	`145`	`"name": "Submit #489672 \| devs.mx OpenCart Lightning 4.43 Deserialization of Untrusted Data",`
`142`	`146`	`"tags": [`
`143`	`147`	`"third-party-advisory"`
`@@ -148,6 +152,12 @@`
`148`	`152`	`"tags": [`
`149`	`153`	`"exploit"`
`150`	`154`	`]`
	`155`	`+ },`
	`156`	`+ {`
	`157`	`+ "url": "https://lightning.devs.mx/download",`
	`158`	`+ "tags": [`
	`159`	`+ "patch"`
	`160`	`+ ]`
`151`	`161`	`}`
`152`	`162`	`]`
`153`	`163`	`},`