44 matches found
PT-2026-32037
TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2...
CVE-2026-33738
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...
EUVD-2026-16417
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo description field is stored without HTML sanitization and rendered using !! $item-summary !! Blade unescaped output in the RSS, Atom, and JSON feed templates. The /feed endpoint is publicly accessible without...
EUVD-2026-16369
Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v SSRF via Photo::fromUrl contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach...
CVE-2026-23896
immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issu...
EUVD-2023-56759
Malicious code in bioql PyPI...
EUVD-2024-36572
Malicious code in bioql PyPI...
EUVD-2025-18624
Malicious code in bioql PyPI...
CVE-2025-53018
Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...
CVE-2025-53018
Lychee prior to v6.6.13 contains a Server-Side Request Forgery in the /api/v2/Photo::fromUrl endpoint. The flaw allows the backend to fetch arbitrary URLs server-side (via fopen()) with no IP validation, allow-list, timeout, or size limits, enabling an attacker to target internal resources (e.g.,...
CVE-2025-50202
Lychee (PHP-based photo-management tool) has a path traversal vulnerability in SecurePathController.php affecting versions 6.6.6–6.6.9. The issue allows leakage of local files, including environment variables, nginx logs, other users’ uploaded images, and configuration secrets. The root cause is ...
CVE-2025-50202 Lychee Path Traversal Vulnerability
Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue h...
[SECURITY] Fedora 40 Update: digikam-8.6.0-4.fc40
digiKam is an easy to use and powerful digital photo management application, which makes importing, organizing and manipulating digital photos a "snap". An easy to use interface is provided to connect to your digital camera, preview the images and download and/or delete them. digiKam built-in ima...
[SECURITY] Fedora 41 Update: digikam-8.6.0-4.fc41
digiKam is an easy to use and powerful digital photo management application, which makes importing, organizing and manipulating digital photos a "snap". An easy to use interface is provided to connect to your digital camera, preview the images and download and/or delete them. digiKam built-in ima...
[SECURITY] Fedora 42 Update: digikam-8.6.0-4.fc42
digiKam is an easy to use and powerful digital photo management application, which makes importing, organizing and manipulating digital photos a "snap". An easy to use interface is provided to connect to your digital camera, preview the images and download and/or delete them. digiKam built-in ima...
CVE-2024-37314
Nextcloud Photos is a photo management app. Users can remove photos from the album of registered users. It is recommended that the Nextcloud Server is upgraded to 25.0.7 or 26.0.2 and the Nextcloud Enterprise Server is upgraded to 25.0.7 or 26.0.2...
CVE-2024-37314
CVE-2024-37314 concerns Nextcloud Photos enabling removal of photos from a registered user’s album. The entry notes remediation by upgrading Nextcloud Server to 25.0.7 or 26.0.2 and Nextcloud Enterprise Server to 25.0.7 or 26.0.2. Connected documents show multiple related Nextcloud vulnerabilitie...
CVE-2023-52082
Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the .env settings set to DBLOGSQL=true and DBLOGSQLEXPLAIN=true. The defaults settings of Lychee are safe. The pat...
Sql injection
Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the .env settings set to DBLOGSQL=true and DBLOGSQLEXPLAIN=true. The defaults settings of Lychee are safe. The pat...
CVE-2023-52082 Lychee is vulnerable to an SQL Injection in explain DB queries.
Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the .env settings set to DBLOGSQL=true and DBLOGSQLEXPLAIN=true. The defaults settings of Lychee are safe. The pat...