CVE-2026-33644

Low CVSS: 2.3

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.

Vendor

Lycheeorg

Product

Lychee

CWE

CWE-918

Yayın Tarihi

2026-03-26 21:17:07

Güncelleme

2026-03-30 18:10:16

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-918 Lychee LOW Lycheeorg 2026

Referanslar

https://github.com/LycheeOrg/Lychee/commit/28c5261fb9deab4f9420c8cc2f73a87425939107 https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5245-4p8c-jwff

Benzer Kayıtlar

Medium

CVE-2026-33738

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored wit…

Medium

CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::from…

Low

CVE-2026-22784

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's a…