PT-2026-53662 · Librephotos · Librephotos

George Chen

Published

2026-06-29

Updated

2026-06-29

CVE-2026-57943

CVSS v3.1

5.9

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:N

LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared to relations without proper owner checks to read arbitrary private photos belonging to other users.

Exploit

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-639

Related Identifiers

CVE-2026-57943

Affected Products

Librephotos

PT-2026-53662 · Librephotos · Librephotos

CVE-2026-57943

Weakness Enumeration

Related Identifiers

Affected Products

References · 6