Total
7 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-33738 | 1 Lycheeorg | 1 Lychee | 2026-03-30 | N/A | 5.4 MEDIUM |
| Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue. | |||||
| CVE-2026-33644 | 1 Lycheeorg | 1 Lychee | 2026-03-30 | N/A | 4.3 MEDIUM |
| Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue. | |||||
| CVE-2026-22784 | 1 Lycheeorg | 1 Lychee | 2026-01-16 | N/A | 4.3 MEDIUM |
| Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0. | |||||
| CVE-2024-25807 | 1 Lycheeorg | 1 Lychee | 2025-05-28 | N/A | 6.1 MEDIUM |
| Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album. | |||||
| CVE-2024-25808 | 1 Lycheeorg | 1 Lychee | 2025-05-28 | N/A | 8.3 HIGH |
| Cross-site Request Forgery (CSRF) vulnerability in Lychee version 3.1.6, allows remote attackers to execute arbitrary code via the create new album function. | |||||
| CVE-2023-52082 | 1 Lycheeorg | 1 Lychee | 2024-11-21 | N/A | 8.8 HIGH |
| Lychee is a free photo-management tool. Prior to 5.0.2, Lychee is vulnerable to an SQL injection on any binding when using mysql/mariadb. This injection is only active for users with the `.env` settings set to DB_LOG_SQL=true and DB_LOG_SQL_EXPLAIN=true. The defaults settings of Lychee are safe. The patch is provided on version 5.0.2. To work around this issue, disable SQL EXPLAIN logging. | |||||
| CVE-2021-43675 | 1 Lycheeorg | 1 Lychee | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Lychee-v3 3.2.16 is affected by a Cross Site Scripting (XSS) vulnerability in php/Access/Guest.php. The function exit will terminate the script and print the message to the user. The message will contain albumID which is controlled by the user. | |||||