CVE-2026-22784

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected...

PT-2025-27148 · Lychee · Lychee

Name of the Vulnerable Software and Affected Versions: Lychee versions prior to 6.6.13 Description: A critical Server-Side Request Forgery SSRF issue exists in the "/api/v2/Photo::fromUrl" endpoint, allowing an attacker to instruct the application's backend to make HTTP requests to any URL they...

PT-2025-25769 · Lychee · Lychee

Name of the Vulnerable Software and Affected Versions: Lychee versions 6.6.6 through 6.6.9 Description: The issue affects Lychee, a free photo-management tool. An attacker can exploit a path traversal vulnerability in SecurePathController.php to leak local files, including environment variables,...

PT-2024-21141 · Lychee · Lychee

Name of the Vulnerable Software and Affected Versions: Lychee version 3.1.6 Description: A Cross-site Request Forgery CSRF issue allows remote attackers to execute arbitrary code via the create new album function. This can be exploited to perform unauthorized actions on the affected system...

Lychee 'importUrl()' function remote code execution vulnerability

Lychee is a free, open source image management tool. A remote code execution vulnerability exists in Lychee. An attacker could use this vulnerability to execute arbitrary code in the context of an affected application, which could also result in a denial of service...