Lucene search
K

5 matches found

CVE
CVE
added 2026/03/26 8:1 p.m.25 views

CVE-2026-33537

Lychee (open-source photo management) is affected by an SSRF issue in Photo::fromUrl due to incomplete IP validation that does not block loopback and link-local addresses. Before version 7.5.1, an authenticated user could reach internal services via direct IPs, bypassing all four protection confi...

5.3CVSS5.8AI score0.0026EPSS
CVE
CVE
added 2026/04/09 4:14 p.m.20 views

CVE-2026-39957

Lychee (open-source photo manager) prior to version 7.5.4 is affected by a SQL operator-precedence bug in SharingController::listAll() that causes the orWhereNotNull('user_group_id') clause to bypass the ownership filter within the when() block. This allows any authenticated non-admin user with u...

4.3CVSS6AI score0.00208EPSS
CVE
CVE
added 2026/03/26 8:4 p.m.17 views

CVE-2026-33644

CVE-2026-33644 describes an SSRF bypass in Lychee prior to 7.5.2. The issue lies in the PhotoUrlRule.php validation: the IP address check (lines 86–89) activates only when the hostname is an IP, so domain names resolve to internal IPs and bypass the check, enabling potential SSRF. A patch is avai...

4.3CVSS5.8AI score0.00217EPSS
CVE
CVE
added 2026/01/12 6:37 p.m.16 views

CVE-2026-22784

Lychee (pre-7.1.0) has an authorization vulnerability in the album password unlock feature: unlocking a password-protected public album automatically unlocks all other public albums sharing the same password, causing cross-album access and potential unauthorized view of protected albums. The issu...

4.3CVSS6.7AI score0.00233EPSS
CVE
CVE
added 2026/03/26 8:25 p.m.9 views

CVE-2026-33738

Vulnerability summary (CVE-2026-33738) : Lychee prior to version 7.5.3 is affected. The photo description field is stored without HTML sanitization and is rendered via unescaped Blade output ({!! $item->summary !!}) in the RSS, Atom, and JSON feed templates. The publicly accessible /feed endpo...

5.4CVSS5.9AI score0.00214EPSS