132 matches found
CVE-2024-48908
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...
SUSE CVE-2024-48908
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...
CVE-2024-48908
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...
CVE-2024-48908 lychee-action vulnerable to arbitrary code injection in composite action
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...
CVE-2024-48908 lychee-action vulnerable to arbitrary code injection in composite action
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...
CVE-2024-48908
The CVE-2024-48908 entry relates to the lychee-action composite action, where the lychee-setup step in action.yml could enable arbitrary code injection prior to version 2.0.2. Affected component: lychee-action (via lychee-setup). Root cause: insecure handling in the setup of lychee within the com...
CVE-2024-48908 lychee-action vulnerable to arbitrary code injection in composite action
lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2...
GHSA-65RG-554R-9J5X lychee link checking action affected by arbitrary code injection in composite action
Summary There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. Details The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action. PoC yaml - uses: lycheeverse/lychee@v2...
lychee link checking action affected by arbitrary code injection in composite action
Summary There is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. Details The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action. PoC yaml - uses: lycheeverse/lychee@v2...
CVE-2024-48908
creationtimestamp| type| source ---|---|--- 2025-08-28 13:24:35+00:00| published-proof-of-concept| https://github.com/lycheeverse/lychee-action/security/advisories/GHSA-65rg-554r-9j5x...
Lychee 代码注入漏洞
Lychee is a beautiful and easy-to-use photo management system open-sourced by The Lychee Organisation. It is used to manage and share photos. A code injection vulnerability exists in Lychee versions prior to 2.0.2, which stems from a possible arbitrary code injection in lychee-setup...
PT-2025-35094
Name of the Vulnerable Software and Affected Versions: lychee link checking action versions prior to 2.0.2 Description: The GitHub Action variable inputs.lycheeVersion can be used to execute arbitrary code in the context of the action. This can potentially compromise the security of the target...
CVE-2025-53018
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...
CVE-2025-53018
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...
CVE-2025-53018 Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...
CVE-2025-53018 Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...
CVE-2025-53018 Lychee has Server-Side Request Forgery (SSRF) in Photo::fromUrl API via unvalidated remote image URLs
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...
CVE-2025-53018
Lychee prior to v6.6.13 contains a Server-Side Request Forgery in the /api/v2/Photo::fromUrl endpoint. The flaw allows the backend to fetch arbitrary URLs server-side (via fopen()) with no IP validation, allow-list, timeout, or size limits, enabling an attacker to target internal resources (e.g.,...
PT-2025-27148 · Lychee · Lychee
Name of the Vulnerable Software and Affected Versions: Lychee versions prior to 6.6.13 Description: A critical Server-Side Request Forgery SSRF issue exists in the "/api/v2/Photo::fromUrl" endpoint, allowing an attacker to instruct the application's backend to make HTTP requests to any URL they...
Lychee 安全漏洞
Lychee is a beautiful and easy to use photo management system open-sourced by The Lychee Organisation. It is used to manage and share photos. A security vulnerability exists in Lychee versions prior to 6.6.13, which stems from a server-side request forgery in the /api/v2/Photo::fromUrl endpoint...