CVE-2026-33738

Medium CVSS: 4.8

Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.

Vendor

Lycheeorg

Product

Lychee

CWE

CWE-79

Yayın Tarihi

2026-03-26 21:17:08

Güncelleme

2026-03-30 18:45:14

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Lychee MEDIUM Lycheeorg 2026

Referanslar

https://github.com/LycheeOrg/Lychee/commit/d2e2606a0223d5a384d5b806db1b31eb587adc5c https://github.com/LycheeOrg/Lychee/pull/4218 https://github.com/LycheeOrg/Lychee/releases/tag/v7.5.3 https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j https://github.com/LycheeOrg/Lychee/security/advisories/GHSA-5574-7f3r-hm9j

Benzer Kayıtlar

Low

CVE-2026-33644

Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` c…

Medium

CVE-2026-33537

Lychee is a free, open-source photo-management tool. The patch introduced for GHSA-cpgw-wgf3-xc6v (SSRF via `Photo::from…

Low

CVE-2026-22784

Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's a…