9 matches found
CVE-2024-25807
Lychee 3.1.6 is affected by a Cross Site Scripting (XSS) vulnerability exploitable via the title parameter when creating an album. The root cause is an XSS flaw in the album-creation flow, allowing remote attackers to execute arbitrary code and access sensitive information. The PT-Security entry ...
CVE-2024-25808
Lychee 3.1.6 is affected by a Cross-site Request Forgery (CSRF) vulnerability that enables remote attackers to execute arbitrary code via the create new album function. The issue is documented across multiple sources (e.g., NVD/Red Hat/CVE records and PT Security), all referencing Lychee 3.1.6 as...
CVE-2021-43675
Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The issue arises because the exit path prints a message to the user that includes albumID, which is controllable by the attacker. Affected component: Lychee-v3, version 3.2.16; vulnerable function/...
CVE-2023-52082
Lychee (free photo-management tool) is vulnerable to an SQL injection in explain DB queries on MySQL/MariaDB bindings prior to version 5.0.2. The vulnerability requires DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true in .env to be active. The default Lychee settings are safe. A patch is available in ...
CVE-2026-33537
Lychee (open-source photo management) is affected by an SSRF issue in Photo::fromUrl due to incomplete IP validation that does not block loopback and link-local addresses. Before version 7.5.1, an authenticated user could reach internal services via direct IPs, bypassing all four protection confi...
CVE-2026-33644
CVE-2026-33644 describes an SSRF bypass in Lychee prior to 7.5.2. The issue lies in the PhotoUrlRule.php validation: the IP address check (lines 86–89) activates only when the hostname is an IP, so domain names resolve to internal IPs and bypass the check, enabling potential SSRF. A patch is avai...
CVE-2026-39957
Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...
CVE-2026-22784
Lychee (pre-7.1.0) has an authorization vulnerability in the album password unlock feature: unlocking a password-protected public album automatically unlocks all other public albums sharing the same password, causing cross-album access and potential unauthorized view of protected albums. The issu...
CVE-2026-33738
Vulnerability summary (CVE-2026-33738) : Lychee prior to version 7.5.3 is affected. The photo description field is stored without HTML sanitization and is rendered via unescaped Blade output ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The publicly accessible /feed endpo...