132 matches found
EUVD-2026-16417
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...
CVE-2026-33738 Lychee Vulnerable to Stored XSS via Photo Description in RSS/Atom/JSON Feed (No Sanitization on Public Endpoint)
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...
CVE-2026-33738
Vulnerability summary (CVE-2026-33738) : Lychee prior to version 7.5.3 is affected. The photo description field is stored without HTML sanitization and is rendered via unescaped Blade output ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The publicly accessible /feed endpo...
CVE-2026-33644
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...
CVE-2026-33644 Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...
CVE-2026-33644
CVE-2026-33644 describes an SSRF bypass in Lychee prior to 7.5.2. The issue lies in the PhotoUrlRule.php validation: the IP address check (lines 86–89) activates only when the hostname is an IP, so domain names resolve to internal IPs and bypass the check, enabling potential SSRF. A patch is avai...
EUVD-2026-16374
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...
CVE-2026-33644 Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...
CVE-2026-33644 Lychee has SSRF bypass via DNS rebinding — PhotoUrlRule only validates IP addresses, not hostnames resolving to internal IPs
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in PhotoUrlRule.php can be bypassed using DNS rebinding. The IP validation check line 86-89 only activates when the hostname is an IP address. When a domain name is used, filtervar$host,...
CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...
CVE-2026-33537 Lychee has SSRF bypass via incomplete IP validation in Photo::fromUrl — loopback and link-local IPs not blocked
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...
CVE-2026-33537
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...
CVE-2026-33537
Lychee (open-source photo management) is affected by an SSRF issue in Photo::fromUrl due to incomplete IP validation that does not block loopback and link-local addresses. Before version 7.5.1, an authenticated user could reach internal services via direct IPs, bypassing all four protection confi...
Lychee 代码问题漏洞
Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.1 had code vulnerabilities; these vulnerabilities stemmed from incomplete IP verification checks, which failed to prevent...
Lychee 跨站脚本漏洞
Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.3 had a cross-site scripting vulnerability; this vulnerability occurred due to the lack of HTML cleaning when storing pho...
PT-2026-28492
Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.1 Description Lychee is a free, open-source photo-management tool. A flaw exists in the IP validation check within the patch for an SSRF issue related to Photo::fromUrl. This incomplete check fails to block loopbac...
Lychee 代码问题漏洞
Lychee is a beautiful and easy-to-use photo management system developed by The Lychee Organisation. It is used for managing and sharing photos. Versions of Lychee prior to 7.5.2 had code vulnerabilities that could be exploited through DNS redirection bypasses, allowing for server-side request...
PT-2026-28504
Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.2 Description Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the Server-Side Request Forgery SSRF protection in PhotoUrlRule.php could be bypassed using DNS rebinding. The IP validatio...
PT-2026-28519
Name of the Vulnerable Software and Affected Versions Lychee versions prior to 7.5.3 Description Lychee is a free, open-source photo-management tool. Before version 7.5.3, the photo description field was stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped outpu...
GHSA-H395-GR6Q-CPJC vulnerabilities
Vulnerabilities for packages: wasmcloud, lakekeeper, lychee, komodo, qdrant, uv, py3-xet-core, zed...