Auth bypass in Chevereto

CVE-2026-55417

Chevereto is a self-hosted media-sharing platform. Starting in version 3.7.5 and prior to version 4.5.4, when a user enables the private profile option, visiting their profile HTML route (`/username`) correctly returns 404. However, the `/…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References