Lycheeorg: >> Lychee >> 3.1.6 Security Vulnerabilities
Lychee is a free, open-source photo-management tool. Prior to version 7.5.3, the photo `description` field is stored without HTML sanitization and rendered using `{!! $item->summary !!}` (Blade unescaped output) in the RSS, Atom, and JSON feed templates. The `/feed` endpoint is publicly accessible without authentication, allowing any RSS reader to execute attacker-controlled JavaScript. Version 7.5.3 fixes the issue.
CVSS Score
5.4
EPSS Score
0.001
Published
2026-03-26
Lychee is a free, open-source photo-management tool. Prior to version 7.5.2, the SSRF protection in `PhotoUrlRule.php` can be bypassed using DNS rebinding. The IP validation check (line 86-89) only activates when the hostname is an IP address. When a domain name is used, `filter_var($host, FILTER_VALIDATE_IP)` returns `false`, skipping the entire check. Version 7.5.2 patches the issue.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-03-26
Lychee is a free, open-source photo-management tool. Prior to 7.1.0, an authorization vulnerability exists in Lychee's album password unlock functionality that allows users to gain possibly unauthorized access to other users' password-protected albums. When a user unlocks a password-protected public album, the system automatically unlocks ALL other public albums that share the same password, resulting in a complete authorization bypass. This vulnerability is fixed in 7.1.0.
CVSS Score
4.3
EPSS Score
0.001
Published
2026-01-12
Cross-site Request Forgery (CSRF) vulnerability in Lychee version 3.1.6, allows remote attackers to execute arbitrary code via the create new album function.
CVSS Score
8.3
EPSS Score
0.011
Published
2024-03-22
Cross Site Scripting (XSS) vulnerability in Lychee 3.1.6, allows remote attackers to execute arbitrary code and obtain sensitive information via the title parameter when creating an album.
CVSS Score
6.1
EPSS Score
0.003
Published
2024-03-22