CVE-2026-33537

Medium CVSS: 5.3

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::fromUrl`) contains an incomplete IP validation check that fails to block loopback addresses and link-local addresses. Prior to version 7.5.1, an authenticated user can still reach internal services using direct IP addresses, bypassing all four protection configuration settings even when they are set to their secure defaults. Version 7.5.1 contains a fix for the issue.

Vendor

Lycheeorg

Product

Lychee

CWE

CWE-918

Yayın Tarihi

2026-03-26 21:17:05

Güncelleme

2026-04-01 18:56:40

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Lychee MEDIUM Lycheeorg 2026

Referanslar

https://github.com/LycheeOrg/Lychee/commit/41386677681d18cd04e42a35b50bd88bf53a4a6a https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-vq6w-prpf-h287

Benzer Kayıtlar

Medium

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored wit…

Low

CVE-2026-33644

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` c…

Low

CVE-2026-22784

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's a…