Lucene search
K
LycheeorgLychee

9 matches found

CVE
CVE
added 2024/03/22 12:0 a.m.72 views

CVE-2024-25807

Lychee 3.1.6 is affected by a Cross Site Scripting (XSS) vulnerability exploitable via the title parameter when creating an album. The root cause is an XSS flaw in the album-creation flow, allowing remote attackers to execute arbitrary code and access sensitive information. The PT-Security entry ...

6.1CVSS6.3AI score0.0046EPSS
CVE
CVE
added 2021/12/15 3:24 p.m.56 views

CVE-2021-43675

Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The issue arises because the exit path prints a message to the user that includes albumID, which is controllable by the attacker. Affected component: Lychee-v3, version 3.2.16; vulnerable function/...

6.1CVSS5.9AI score0.00851EPSS
Web
CVE
CVE
added 2024/03/22 12:0 a.m.56 views

CVE-2024-25808

Lychee 3.1.6 is affected by a Cross-site Request Forgery (CSRF) vulnerability that enables remote attackers to execute arbitrary code via the create new album function. The issue is documented across multiple sources (e.g., NVD/Red Hat/CVE records and PT Security), all referencing Lychee 3.1.6 as...

8.3CVSS8.2AI score0.00377EPSS
CVE
CVE
added 2023/12/28 3:46 p.m.40 views

CVE-2023-52082

Lychee (free photo-management tool) is vulnerable to an SQL injection in explain DB queries on MySQL/MariaDB bindings prior to version 5.0.2. The vulnerability requires DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true in .env to be active. The default Lychee settings are safe. A patch is available in ...

9.8CVSS9.7AI score0.00472EPSS
CVE
CVE
added 2026/03/26 8:1 p.m.24 views

CVE-2026-33537

Lychee (open-source photo management) is affected by an SSRF issue in Photo::fromUrl due to incomplete IP validation that does not block loopback and link-local addresses. Before version 7.5.1, an authenticated user could reach internal services via direct IPs, bypassing all four protection confi...

5.3CVSS5.8AI score0.0026EPSS
CVE
CVE
added 2026/03/26 8:4 p.m.17 views

CVE-2026-33644

CVE-2026-33644 describes an SSRF bypass in Lychee prior to 7.5.2. The issue lies in the PhotoUrlRule.php validation: the IP address check (lines 86–89) activates only when the hostname is an IP, so domain names resolve to internal IPs and bypass the check, enabling potential SSRF. A patch is avai...

4.3CVSS5.8AI score0.00217EPSS
CVE
CVE
added 2026/04/09 4:14 p.m.16 views

CVE-2026-39957

Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...

4.3CVSS6AI score0.00208EPSS
CVE
CVE
added 2026/01/12 6:37 p.m.15 views

CVE-2026-22784

Lychee (pre-7.1.0) has an authorization vulnerability in the album password unlock feature: unlocking a password-protected public album automatically unlocks all other public albums sharing the same password, causing cross-album access and potential unauthorized view of protected albums. The issu...

4.3CVSS6.7AI score0.00233EPSS
CVE
CVE
added 2026/03/26 8:25 p.m.7 views

CVE-2026-33738

Vulnerability summary (CVE-2026-33738) : Lychee prior to version 7.5.3 is affected. The photo description field is stored without HTML sanitization and is rendered via unescaped Blade output ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The publicly accessible /feed endpo...

5.4CVSS5.9AI score0.00214EPSS